Use of Uninitialized variable, when loading certain png files.

Bug #1296786 reported by Tom Hindle
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libgdiplus (Ubuntu)
Undecided
Unassigned

Bug Description

Png details that causes this crash:

Find Dictionary.png...
  Image Width: 16 Image Length: 16
  Bitdepth (Bits/Sample): 8
  Channels (Samples/Pixel): 1
  Pixel depth (Pixel Depth): 8
  Colour Type (Photometric Interpretation): PALETTED COLOUR with alpha (256 colours, 1 transparent)
  Image filter: Single row per byte filter
  Interlacing: No interlacing
  Compression Scheme: Deflate method 8, 32k window
  Resolution: 2834, 2834 (pixels per meter)
  FillOrder: msb-to-lsb
  Byte Order: Network (Big Endian)
  Number of text strings: 0 of 0

Problem code is:

File: pngcode.c
Function: gdip_load_png_image_from_file_or_stream
Problem: use of a call to png_get_tRNS without checking return value.
For this png return value is 0 (fail), and this causes use of a uninitialized variables trans_color and num_trans.
This causes seg fault if trans_color or num_trans. happen to be certian values.

I will a minimal test case that can be build using mono.

I will also attach a suggested patch, that checks return value of png_get_tRNS, and doesn't attempt to use unitilized variables.

StackTrace looks like this:

 at <unknown> <0xffffffff>
  at (wrapper managed-to-native) System.Drawing.GDIPlus.GdipLoadImageFromDelegate_linux (System.Drawing.GDIPlus/StreamGetHeaderDelegate,System.Drawing.GDIPlus/StreamGetBytesDelegate,System.Drawing.GDIPlus/StreamPutBytesDelegate,System.Drawing.GDIPlus/StreamSeekDelegate,System.Drawing.GDIPlus/StreamCloseDelegate,System.Drawing.GDIPlus/StreamSizeDelegate,intptr&) <0xffffffff>
  at System.Drawing.Image.InitFromStream (System.IO.Stream) <0x001b3>
  at System.Drawing.Image..ctor (System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext) <0x0010f>
  at System.Drawing.Bitmap..ctor (System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext) <0x0002f>
  at (wrapper runtime-invoke) <Module>.runtime_invoke_void__this___object_StreamingContext (object,intptr,intptr,intptr) <0xffffffff>
  at <unknown> <0xffffffff>
  at (wrapper managed-to-native) System.Reflection.MonoCMethod.InternalInvoke (System.Reflection.MonoCMethod,object,object[],System.Exception&) <0xffffffff>
  at System.Reflection.MonoCMethod.InternalInvoke (object,object[]) <0x0003f>
  at System.Reflection.MonoCMethod.DoInvoke (object,System.Reflection.BindingFlags,System.Reflection.Binder,object[],System.Globalization.CultureInfo) <0x00103>
  at System.Reflection.MonoCMethod.Invoke (object,System.Reflection.BindingFlags,System.Reflection.Binder,object[],System.Globalization.CultureInfo) <0x00083>
  at System.Reflection.MethodBase.Invoke (object,object[]) <0x00032>
  at System.Runtime.Serialization.ObjectRecord.LoadData (System.Runtime.Serialization.ObjectManager,System.Runtime.Serialization.ISurrogateSelector,System.Runtime.Serialization.StreamingContext) <0x002ff>
  at System.Runtime.Serialization.ObjectManager.DoFixups () <0x0015f>
  at System.Runtime.Serialization.Formatters.Binary.ObjectReader.ReadNextObject (System.IO.BinaryReader) <0x00051>
  at System.Runtime.Serialization.Formatters.Binary.ObjectReader.ReadObjectGraph (System.Runtime.Serialization.Formatters.Binary.BinaryElement,System.IO.BinaryReader,bool,object&,System.Runtime.Remoting.Messaging.Header[]&) <0x0010b>
  at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.NoCheckDeserialize (System.IO.Stream,System.Runtime.Remoting.Messaging.HeaderHandler) <0x00143>
  at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize (System.IO.Stream) <0x0001f>
  at System.Resources.ResourceReader.ReadNonPredefinedValue (System.Type) <0x0003f>
  at System.Resources.ResourceReader.ReadValueVer2 (int) <0x00443>
  at System.Resources.ResourceReader.LoadResourceValues (System.Resources.ResourceReader/ResourceCacheItem[]) <0x0021f>
  at System.Resources.ResourceReader/ResourceEnumerator.FillCache () <0x0009b>
  at System.Resources.ResourceReader/ResourceEnumerator..ctor (System.Resources.ResourceReader) <0x00053>
  at System.Resources.ResourceReader.GetEnumerator () <0x00033>
  at System.Resources.ResourceSet.ReadResources () <0x0008d>
  at System.Resources.ResourceSet.GetObjectInternal (string,bool) <0x0006b>
  at System.Resources.ResourceSet.GetObject (string,bool) <0x00027>
  at System.Resources.RuntimeResourceSet.GetObject (string,bool) <0x00033>
  at System.Resources.ResourceManager.GetObject (string,System.Globalization.CultureInfo) <0x000a1>
  at PngTest.MainClass.Main (string[]) <0x0007c>
  at (wrapper runtime-invoke) <Module>.runtime_invoke_void_object (object,intptr,intptr,intptr) <0xffffffff>

Related branches

Revision history for this message
Tom Hindle (3-launchpad-hindlemail-co-uk) wrote :
Revision history for this message
Tom Hindle (3-launchpad-hindlemail-co-uk) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Suggest patch that initalizes variables to prevent uninitalized use." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Tom Hindle (3-launchpad-hindlemail-co-uk) wrote :

I've also reported the bug upstream:

https://bugzilla.xamarin.com/show_bug.cgi?id=18625

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

what about getting this patch into debian first? this seems to be a debian too problem

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgdiplus - 2.11+git20131008.9732566-5ubuntu1

---------------
libgdiplus (2.11+git20131008.9732566-5ubuntu1) trusty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - ppc64el support:
      + Build using dh-autoreconf
      + Build for ppc64el
      + Link tests with -lm

libgdiplus (2.11+git20131008.9732566-5) unstable; urgency=low

  * [5e251c5] Ensure PNG transparency values are initialized. Thanks to
    Tom Hindle (LP: #1296786) (Closes: #741980)
 -- Christopher James Halse Rogers <email address hidden> Wed, 02 Apr 2014 11:03:42 +1100

Changed in libgdiplus (Ubuntu):
status: New → Fix Released
Revision history for this message
Enno Borgsteede (ennoborg) wrote :

To my regret, a crash still occurs when I start openbve in Linux Mint 17. The libgdiplus version reported by synaptic is the one mentioned above.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.