22480 – tiff package (libtiff) does not handle tiled jpeg compressed images correctly

Bug 22480 - tiff package (libtiff) does not handle tiled jpeg compressed images correctly

Summary: tiff package (libtiff) does not handle tiled jpeg compressed images correctly

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Library (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Linux bug wranglers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-06-09 03:48 UTC by Robin Princeley
Modified:	2004-11-03 13:31 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robin Princeley 2003-06-09 03:48:51 UTC

library: libtiff
file: tif_jpeg.c
function: JPEGPreDecode
problem: Tiled TIFF images compressed using JPEG can't be decoded

Code:
	/*
	 * Check image parameters and set decompression parameters.
	 */
	segment_width = td->td_imagewidth;
	segment_height = td->td_imagelength - tif->tif_row;
	if (isTiled(tif)) {
		if (segment_height > td->td_tilelength)
			segment_height = td->td_tilelength;
		sp->bytesperline = TIFFTileRowSize(tif);
	} else {

The above code is incorrect, since segment_width and segment_height will always
be equal to the tile width and height (all tiles are of the same size; padded if
required). A check later comparing decoded image width and height against
segment_width and segment_height fails.

The code should propably be:
	/*
	 * Check image parameters and set decompression parameters.
	 */
	segment_width = td->td_imagewidth;
	segment_height = td->td_imagelength - tif->tif_row;
	if (isTiled(tif)) {
		segment_height = td->td_tilelength;
		segment_width = td->td_tilewidth;
		sp->bytesperline = TIFFTileRowSize(tif);
	} else {


Reproducible: Always
Steps to Reproduce:

Comment 1 Martin Holzer (RETIRED) gentoo-dev

2003-09-08 10:31:07 UTC

did you send this upstream ? 
is this fixed in a upstream release ?

Comment 2 Brandy Westcott (RETIRED) gentoo-dev

2003-10-08 02:07:47 UTC

Nice catch Robin. This has been fixed in 3.6.0. From the changelog:

	libtiff/tif_jpeg.c: modified segment_height calculation to
	always be a full height tile for tiled images.

tif_jpeg.c:

	segment_width = td->td_imagewidth;
	segment_height = td->td_imagelength - tif->tif_row;
	if (isTiled(tif)) {
                segment_width = td->td_tilewidth;
                segment_height = td->td_tilelength;
		sp->bytesperline = TIFFTileRowSize(tif);
	} else {

Comment 3 Karl Ernst Brunk 2004-11-03 13:31:11 UTC

A. display: /mnt/debian/daten/team/fax/fax00026.tif: cannot handle zero tile size..
B. tiffsplit /mnt/debian/daten/team/fax/fax00083.tif test
/mnt/debian/daten/team/fax/fax00083.tif: Integer overflow in TIFFVTileSize.
TIFFReadDirectory: /mnt/debian/daten/team/fax/fax00083.tif: cannot handle zero tile size.

I dont think it's resolved

C. see this from http://www.email-lists.org/pipermail/ptx/2004-November.txt =>>
 "I use debian sarge/sid and gimp 2.05, libgimp-perl 2.0.dfsg-3 (perl 
server enabled) and libtiff4 from unstable with a patch because of the 
"Integer overflow in TIFFVTileSize" bug in libtiff4 3.6.1-2 from 
unstable."
http://bugs.debian.org/cgi-bin/bugreport.cgi/tiff_3.6.1-2-to-3.patch?bug=276783&msg=43&att=1

As it did work before i combine #48077 and i think we need a patch like this above mentioned at the debianers.