I've attached the reproduction of the crash in a duplicate bug. At first glance, this appears to be a NULL-offset, but since it's so large, it's unclear if there is arbitrary control over the destination of the %al byte being written.
SegvAnalysis: Segfault happened at: 0x7f2131398308: mov %al,(%rcx) PC (0x7f2131398308) ok source "%al" ok destination "(%rcx)" (0x008effff) not located in a known VMA region (needed writable region)! ** Summary changed: - PSP tiff exploit crashes libtiff4 + tiff2ps crashed with SIGSEGV in TIFFReadScanline() -- tiff2ps crashed with SIGSEGV in TIFFReadScanline() https://bugs.launchpad.net/bugs/380149 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
