10000 tiff: add thread-safe warning/error handlers, requires libtiff 4.5.0+ by lovell · Pull Request #4313 · libvips/libvips · GitHub
[go: up one dir, main page]
Skip to content

tiff: add thread-safe warning/error handlers, requires libtiff 4.5.0+ #4313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 11, 2024
Merged

tiff: add thread-safe warning/error handlers, requires libtiff 4.5.0+ #4313

merged 1 commit into from
Dec 11, 2024

Conversation

lovell
Copy link
Member
@lovell lovell commented Dec 8, 2024
edited
Loading

Adds a compile-time test for libtiff OpenOptions feature, when present sets the use of new, re-entrant error and warning handlers.

Defining these (and having them return 1) prevents the default behaviour of libtiff to call global, not thread-safe handlers shared between all users.

The handlers also support user data, so tiffload can now start to respect the fail_on option. Homebrew currently provides libtiff 4.7.0 so we can test for this on macOS.

I also investigated the various new memory limit safety features of OpenOptions discussed in #3892 but these only cover libtiff allocations e.g. parsing headers, and exclude allocations in its dependencies. Newer versions of libtiff already introduce more sanity checks around these anyway so the example from https://issues.oss-fuzz.com/issues/42531230 no longer fails.

This PR targets the 8.16 branch as it fixes a long-standing potential thread-safety issue with libtiff. I guess this might be considered a breaking change only if someone is currently setting fail_on=warning but expecting it not to 10000 .

@kleisauke
Copy link
Member

Newer versions of libtiff already introduce more sanity checks around these anyway so the example from https://issues.oss-fuzz.com/issues/42531230 no longer fails.

Hmm, I was still able to reproduce that fuzzer bug.

$ git diff projects/libvips/Dockerfile
diff --git a/projects/libvips/Dockerfile b/projects/libvips/Dockerfile
index 91787f1c8..10ef4abf5 100644
--- a/projects/libvips/Dockerfile
+++ b/projects/libvips/Dockerfile
@@ -35,7 +35,7 @@ RUN mkdir afl-testcases
 RUN curl https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz | tar xzC afl-testcases
 RUN mkdir pdfium-latest
 RUN curl -L https://github.com/bblanchon/pdfium-binaries/releases/latest/download/pdfium-linux-x64.tgz | tar xzC pdfium-latest
-RUN git clone --depth 1 https://github.com/libvips/libvips.git
+RUN git clone --depth 1 --branch tiffload-open-options https://github.com/lovell/libvips.git
 RUN git clone --depth 1 https://github.com/madler/zlib.git
 RUN git clone --depth 1 https://github.com/libexif/libexif.git
 RUN git clone --depth 1 https://github.com/mm2/Little-CMS.git lcms
$ python infra/helper.py build_fuzzers --sanitizer address libvips > build_log.txt
$ python infra/helper.py reproduce libvips pngsave_buffer_fuzzer ~/Downloads/clusterfuzz-testcase-minimized-pngsave_buffer_fuzzer-4829207959830528
...
==9== ERROR: libFuzzer: out-of-memory (used: 2574Mb; limit: 2560Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>
...

@lovell
Copy link
Member Author
lovell commented Dec 10, 2024

I'm juggling quite a few branches at the moment and I must have tested that OSS Fuzz issue with the wrong code (or the wrong image), sorry Kleis. I did wonder why it hadn't auto-closed.

I'll add support for the unlimited flag in a follow-up PR to try make it (and this change) easier to review.

@jcupitt
Copy link
Member
jcupitt commented Dec 10, 2024

This is great Lovell! libtiff's global error handler has been a weeping sore for decades.

It feels like a large change for a stable branch, and since everyone has been living with this for 30+ years, not time-critical either. My waters tell me this should be in 8.17.

Is there an urgent issue this resolves?

@lovell lovell force-pushed the tiffload-open-options branch from 8927094 to c87515f Compare December 11, 2024 10:20
@lovell lovell changed the base branch from 8.16 to master December 11, 2024 10:21
@lovell
Copy link
Member Author
lovell commented Dec 11, 2024

I've updated the target branch to master for inclusion in the 8.17 release.

@jcupitt jcupitt merged commit 681a063 into libvips:master Dec 11, 2024
6 checks passed
@jcupitt
Copy link
Member
jcupitt commented Dec 11, 2024

Great! And let's aim for 8.17 six months after 8.16.

@lovell lovell deleted the tiffload-open-options branch December 11, 2024 12:51
This was referenced Dec 18, 2024
Closed
Merged
@kleisauke kleisauke mentioned this pull request May 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lovell @kleisauke @jcupitt
0