Description of problem:
Originally reported by Sauli Pahlman in Launchpad:
https://bugs.launchpad.net/bugs/589145
Attached tif file triggers NULL pointer dereference in OJPEG handling code.
Version-Release number of selected component (if applicable):
libtiff-3.9.2-3.el6.i686
Steps to Reproduce:
tiff2rgba lp589145-sample.tif /dev/null
Additional info:
Program received signal SIGSEGV, Segmentation fault.
0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
1912
sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];
(gdb) print sp->tif->tif_dir.td_stripoffset
$1 = (toff_t *) 0x0
(gdb) bt
#0 0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
#1 0x00963327 in OJPEGReadBytePeek (byte=<value optimized out>, sp=<value
optimized out>) at tif_ojpeg.c:1956
#2 OJPEGReadHeaderInfoSec (byte=<value optimized out>, sp=<value optimized
out>) at tif_ojpeg.c:1231
#3 0x00964319 in OJPEGSubsamplingCorrect (tif=0x804c548) at tif_ojpeg.c:959
#4 0x00964586 in OJPEGVGetField (tif=<value optimized out>, tag=<value
optimized out>, ap=<value optimized out>)
at tif_ojpeg.c:466
#5 0x00942fbb in TIFFVGetField (tif=<value optimized out>, tag=<value
optimized out>, ap=<value optimized out>)
at tif_dir.c:966
#6 0x00943a1c in TIFFGetField (tif=<value optimized out>, tag=<value optimized
out>) at tif_dir.c:950
#7 0x00970204 in TIFFScanlineSize (tif=<value optimized out>) at
tif_strip.c:237
#8 0x0094876b in TIFFReadDirectory (tif=<value optimized out>) at
tif_dirread.c:713
#9 0x0096670c in TIFFClientOpen (name=<value optimized out>, mode=<value
optimized out>,
clientdata=<value optimized out>, readproc=<value optimized out>,
writeproc=<value optimized out>,
seekproc=<value optimized out>, closeproc=<value optimized out>,
sizeproc=<value optimized out>,
mapproc=<value optimized out>, unmapproc=<value optimized out>) at
tif_open.c:436
#10 0x009714c3 in TIFFFdOpen (fd=<value optimized out>, name=<value optimized
out>, mode=<value optimized out>)
at tif_unix.c:139
#11 0x0097154d in TIFFOpen (name=<value optimized out>, mode=<value optimized
out>) at tif_unix.c:178
#12 0x08048d24 in main (argc=<value optimized out>, argv=<value optimized out>)
at tiff2rgba.c:112
