2010.06.23 12:11 "[Tiff] Use of uninitialised value in tiled jpeg tiff", by John
I noticed a small problem in libtiff-3.9.2 with tiled jpeg images. If the image to be written is smaller than a tile, the jpeg compressor appears to read beyond the end of the available data.
$ tiffinfo tiny.tif
TIFF Directory at offset 0x9008 (36872)
Image Width: 128 Image Length: 96
Resolution: 1.25, 1.25 pixels/cm
Compression Scheme: None
Photometric Interpretation: RGB color
Orientation: row 0 top, col 0 lhs
Planar Configuration: single image plane
$ valgrind tiffcp -t -c jpeg tiny.tif test.tif
==2872== Use of uninitialised value of size 8
==2872== at 0x50987B8: rgb_ycc_convert (jccolor.c:159)
==2872== by 0x50977B3: pre_process_data (jcprepct.c:145)
==2872== by 0x509730D: process_data_simple_main (jcmainct.c:122)
==2872== by 0x5093F1B: jpeg_write_scanlines (jcapistd.c:108)
==2872== by 0x4E4EE0B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872== by 0x4E4EE9B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872== by 0x4E66111: TIFFWriteEncodedTile (in /usr/lib/libtiff.so.4.3.2)
==2872== by 0x40508B: ??? (in /usr/bin/tiffcp)
==2872== by 0x4041AD: ??? (in /usr/bin/tiffcp)
==2872== by 0x404420: ??? (in /usr/bin/tiffcp)
==2872== by 0x40340D: ??? (in /usr/bin/tiffcp)
==2872== by 0x576CC4C: (below main) (libc-start.c:226)
... and 3 more similar errors... snip...
==2872== ERROR SUMMARY: 212992 errors from 4 contexts (suppressed: 4 from 4)
If you calculate 4 * (256 * 256 - 128 * 96) you get 212992, the number of reported errors, so it looks like it is jpeg-compressing the whole 256 x 256 tile, even though there are only 128 x 96 actual pixels.
Interestingly, it works fine if the source image ls larger than a tile and not a multiple of the tile size. In other words, fractional tiles at image edges are handled correctly.
I imagine this is not a security problem, though I'm not an expert, to say the least, but I thought the list might be interested.