Thread

2016.11.09 23:39 "Re: [Tiff] comment about bug 2591", by Even Rouault

Le mercredi 09 novembre 2016 18:25:43, Henri Salo a écrit:

Can't reproduce this case with the latest codebase:

http://bugzilla.maptools.org/show_bug.cgi?id=2591

Me too, but I cannot either reproduce with stock 4.0.6...

There are large memory allocation ( 800MB + 1.2 GB), but they occur after the reported crash.

The reported crash occurs is a SEGV on unknown address 0x000000000000 in TIFFVGetFieldDefaulted() on

TIFFPredictorState* sp = (TIFFPredictorState*) tif->tif_data;
*va_arg(ap, uint16*) = (uint16) sp->predictor;

So it would seem that tif->tif_data is NULL.

tif->tif_data is allocated in TIFFInitZIP() in tif_zip.c

        tif->tif_data = (uint8*) _TIFFmalloc(sizeof (ZIPState));
        if (tif->tif_data == NULL)
                goto bad;

I've simulated a failed malloc(), but that cause a very early return in the utility, so that's not the cause.

So this bug is a mystery.

--
Spatialys - Geospatial professional services
http://www.spatialys.com