Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • L libtiff
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 157
    • Issues 157
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 20
    • Merge requests 20
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • libtiff
  • libtiff
  • Issues
  • #423
Closed
Open
Issue created May 22, 2022 by sheng peng@anthonyps

tiffcrop: double free or corruption in rotateImage() at tiffcrop.c:8839

Summary

There is a double free or corruption in rotateImage() at tiffcrop.c:8839

8839: _TIFFfree(ibuff);

Version

root@peng:~/libtiff-v4.4.0rc1# tools/.libs/tiffcrop -v
Library Release: LIBTIFF, Version 4.4.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.5, last updated: 02-09-2022

Steps to reproduce

./autogen.sh
./configure
make -j
root@peng:~/libtiff-v4.4.0rc1# gdb --args tools/.libs/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc2 /tmp/foo
TIFFReadDirectory: Warning, Unknown field with tag 5467 (0x155b) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 5632"; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 2" value failed; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored.
TIFFFetchNormalTag: Warning, incorrect count for field "YCbCrSubsampling", expected 2, got 335544322.
TIFFReadDirectory: Warning, Wrong "StripByteCounts" field, ignoring and calculating from imagelength.
double free or corruption (!prev)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff77a17f1 in __GI_abort () at abort.c:79
#2  0x00007ffff77ea837 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7917a7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff77f18ba in malloc_printerr (str=str@entry=0x7ffff79197a8 "double free or corruption (!prev)") at malloc.c:5342
#4  0x00007ffff77f8e5c in _int_free (have_lock=0, p=0x5555557706d0, av=0x7ffff7b4cc40 <main_arena>) at malloc.c:4311
#5  __GI___libc_free (mem=0x5555557706e0) at malloc.c:3134
#6  0x000055555555be61 in rotateImage (rotation=<optimized out>, image=<optimized out>, img_width=0x7fffffff8b88, img_length=0x7fffffff8b8c, ibuff_ptr=0x7fffffff88c0) at tiffcrop.c:8839
#7  0x00005555555568f6 in processCropSelections (read_buff_ptr=0x7fffffff8890, seg_buffs=0x7fffffff8950, crop=0x7fffffff8b50, image=0x7fffffff88a0) at tiffcrop.c:7671
#8  main (argc=<optimized out>, argv=0x7fffffffe348) at tiffcrop.c:2415

Platform

uname -a Linux peng 5.4.0-42-generic 18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

poc2

Assignee
Assign to
Time tracking