Bug #619

Segfault when opening PNG image

Added by Łukasz Krzyżak over 8 years ago. Updated over 8 years ago.

Status:ClosedStart date:09 Mar 2009
Priority:NormalDue date:
Assignee:Andreas Huggel% Done:

100%

Category:basicio
Target version:0.18.1

Description

Hello
When trying to open one of my photos (made by some version of UFRaw) exiv2 crashes. I've found it in digikam stacktrace and then reproduced it with command line exiv2.

exiv2 -V

exiv2 0.18

stacktrace from gdb:

(gdb) set args -v -pa  Pictures/dsc_3908.png                                 
(gdb) run                                                                    
Starting program: /usr/bin/exiv2 -v -pa  Pictures/dsc_3908.png               
File 1/1: Pictures/dsc_3908.png                                              

Program received signal SIGSEGV, Segmentation fault.
Exiv2::Internal::PngChunk::readRawProfile (text=@0x7fffa431c3c0) at pngchunk.cpp:627
627     pngchunk.cpp: No such file or directory.                                    
        in pngchunk.cpp                                                             
(gdb) bt                                                                            
#0  Exiv2::Internal::PngChunk::readRawProfile (text=@0x7fffa431c3c0) at pngchunk.cpp:627
#1  0x00007f909be48991 in Exiv2::Internal::PngChunk::parseChunkContent (pImage=0x1585e50, key=<value optimized out>, 
    arr={pData_ = 0x7fffa431c3c0 "", size_ = 0}) at pngchunk.cpp:236                                                 
#2  0x00007f909be49a04 in Exiv2::Internal::PngChunk::decodeTXTChunk (pImage=0x1585e50, data=@0x7fffa431c430,         
    type=Exiv2::Internal::PngChunk::tEXt_Chunk) at pngchunk.cpp:103                                                  
#3  0x00007f909be47b93 in Exiv2::PngImage::readMetadata (this=0x1585e50) at pngimage.cpp:147                         
#4  0x0000000000416907 in Action::Print::printList (this=0x1585ba0) at actions.cpp:637                               
#5  0x000000000041e375 in Action::Print::run (this=0x1585ba0, path=@0x1585860) at actions.cpp:228                    
#6  0x0000000000409da0 in main (argc=<value optimized out>, argv=0x628a40) at exiv2.cpp:165

(gdb) bt full                                                                                                        
#0  Exiv2::Internal::PngChunk::readRawProfile (text=@0x7fffa431c3c0) at pngchunk.cpp:627                             
        info = {pData_ = 0x0, size_ = 0}                                                                             
        i = <value optimized out>                                                                                    
        dp = <value optimized out>                                                                                   
        sp = 0x1 <Address 0x1 out of bounds>                                                                         
        length = <value optimized out>                                                                               
        unhex = '\0' <repeats 49 times>, "\001\002\003\004\005\006\a\b\t", '\0' <repeats 39 times>, "\n\v\f\r\016\017" 
#1  0x00007f909be48991 in Exiv2::Internal::PngChunk::parseChunkContent (pImage=0x1585e50, key=<value optimized out>,  
    arr={pData_ = 0x7fffa431c3c0 "", size_ = 0}) at pngchunk.cpp:236                                                  
        exifData = {pData_ = 0x0, size_ = 22568774}                                                                   
        length = <value optimized out>                                                                                
        exifHeader = "Exif\000"                                                                                       
#2  0x00007f909be49a04 in Exiv2::Internal::PngChunk::decodeTXTChunk (pImage=0x1585e50, data=@0x7fffa431c430,          
    type=Exiv2::Internal::PngChunk::tEXt_Chunk) at pngchunk.cpp:103                                                   
        key = {pData_ = 0x1585f50 "Raw profile type exif", size_ = 21}                                                
        arr = {pData_ = 0x0, size_ = 0}                                                                               
#3  0x00007f909be47b93 in Exiv2::PngImage::readMetadata (this=0x1585e50) at pngimage.cpp:147                          
        cdataBuf = {pData_ = 0x1585f30 "Raw profile type exif", size_ = 22}                                           
        bufRead = 22                                                                                                  
        dataOffset = <value optimized out>                                                                            
        closer = {bio_ = @0x1585bc0}                                                                                  
        cheaderBuf = {pData_ = 0x1585f10 "", size_ = 8} 

I'm using Gentoo on x86_64 arch. Exiv was compiled with -march=native -O1 -ggdb -pipe flags.

dsc_3908.png (2.66 MB) Łukasz Krzyżak, 09 Mar 2009 12:52

bug619.diff Magnifier (573 Bytes) Łukasz Krzyżak, 09 Mar 2009 14:37

Associated revisions

Revision 1763
Added by Andreas Huggel over 8 years ago

#619: Check for empty buffer. Fixes crash with some PNG images. (Lukasz Krzyzak)

History

#1 Updated by Łukasz Krzyżak over 8 years ago

and a quick and very dirty fix...

#2 Updated by Andreas Huggel over 8 years ago

  • Category set to basicio
  • Status changed from New to Resolved
  • Assignee set to Andreas Huggel
  • Target version set to 0.18.1
  • % Done changed from 0 to 100

Thanks for reporting the issue and your patch! I've changed it only slightly to test the size of the buffer instead of the data pointer, as pointd out by Gilles.

#3 Updated by Andreas Huggel over 8 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Redmine Appliance - Powered by TurnKey Linux