Ubuntu
libpano13 package

Bug #1057012
Comment #2

Comment 2 for bug 1057012

Revision history for this message

Stéphane Gourichon (stephane-gourichon-lpad) wrote on 2012-09-27:

# Summary

* found the actual bug location, in libpano13.
* bug class : unchecked write to fixed size buffer (buffers have hardcoded size)
* hard-coded limits are inconsistent between files (source buffer 65536, destination buffer 256)
* easy to fix ? There is at least the quick-and-easy by increasing lower limit.

## Additional information

It's in libpano13, file panorama.h, line 413 :

#define PANO_PATH_LEN 255

In a nutshell, ParseScript can parse lines up to 65535 characters long, but Image structure only accepts full paths up to 256 characters long.

## Investigation details

crash log says :
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x2b29d619b22d]
/usr/lib/libpano13.so.2(ParseScript+0x7f6)[0x2b29d51fe536]

ParseScript is therefore a function in libpano13.
apt-get source libpano13
cd libpano13-2.9.18+dfsg/

ParseScript is defined in parser.c.
It calls sprintf on line 448

                    case 'n': // Set filename
                        nextWord( buf, &li );
                        sprintf( im->name, "%s", buf );
                        break;
                    case 'm': // Frame

buf is defined on line 148:

char *li, line[LINE_LENGTH], *ch ,*lineStart, buf[LINE_LENGTH];

buf is big enough to hold a long filename :

//Increased so more params can be parsed/optimized (MRDL - March 2002)
#define LINE_LENGTH 65536

Now check im->name.

In ParseScript, im is defined on line 142:

Image *im;

Image type is defined in panorama.h on line 430-355:

struct Image
{
    // Pixel data
    pt_int32 width;
    pt_int32 height;
    pt_int32 bytesPerLine;
    pt_int32 bitsPerPixel; // Must be 24 or 32
    size_t dataSize;
    unsigned char **data;
    pt_int32 dataformat; // rgb, Lab etc
    pt_int32 format; // Projection: rectilinear etc
    int formatParamCount; // Number of format parameters.
    double formatParam[PANO_PROJECTION_MAX_PARMS]; // Parameters for format.
    int precomputedCount; // number of values precomputed for a given pano
    double precomputedValue[PANO_PROJECTION_PRECOMPUTED_VALUES]; // to speed up pano creation
    double hfov;
    double yaw;
    double pitch;
    double roll;
    cPrefs cP; // How to correct the image
    char name[PANO_PATH_LEN+1];
    PTRect selection;
    CropInfo cropInformation; // TO BE DEPRECATED

pano_ImageMetadata metadata;
};

typedef struct Image Image;

field "name" is on line 455:

char name[PANO_PATH_LEN+1];

PANO_PATH_LEN is defined on panorama.h, line 413:

#define PANO_PATH_LEN 255

Crash is explained.

# Summary

## Additional information

It's in libpano13, file panorama.h, line 413 :

#define PANO_PATH_LEN 255

In a nutshell, ParseScript can parse lines up to 65535 characters long, but Image structure only accepts full paths up to 256 characters long.

## Investigation details

crash log says :
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x2b29d619b22d]
/usr/lib/libpano13.so.2(ParseScript+0x7f6)[0x2b29d51fe536]

ParseScript is therefore a function in libpano13.
apt-get source libpano13
cd libpano13-2.9.18+dfsg/

ParseScript is defined in parser.c.
It calls sprintf on line 448

case 'n':           // Set filename
                        nextWord( buf, &li );
                        sprintf( im->name, "%s", buf );
                        break;
                    case 'm':  // Frame

buf is defined on line 148:

char                *li, line[LINE_LENGTH], *ch ,*lineStart, buf[LINE_LENGTH];

buf is big enough to hold a long filename :

//Increased so more params can be parsed/optimized (MRDL - March 2002)
#define LINE_LENGTH         65536

Now check im->name.

In ParseScript, im is defined on line 142:

Image               *im;

Image type is defined in panorama.h on line 430-355:

struct Image
{
    // Pixel data
    pt_int32 width;
    pt_int32 height;
    pt_int32 bytesPerLine;
    pt_int32 bitsPerPixel;      // Must be 24 or 32
    size_t dataSize;
    unsigned char **data;
    pt_int32 dataformat;        // rgb, Lab etc
    pt_int32 format;            // Projection: rectilinear etc
    int formatParamCount;       // Number of format parameters.
    double formatParam[PANO_PROJECTION_MAX_PARMS];  // Parameters for format.
    int precomputedCount;   // number of values precomputed for a given pano
    double precomputedValue[PANO_PROJECTION_PRECOMPUTED_VALUES]; // to speed up pano creation
    double hfov;
    double yaw;
    double pitch;
    double roll;
    cPrefs cP;                  // How to correct the image
    char name[PANO_PATH_LEN+1];
    PTRect selection;
    CropInfo cropInformation; // TO BE DEPRECATED

pano_ImageMetadata metadata;
};

typedef struct Image Image;

field "name" is on line 455:

char name[PANO_PATH_LEN+1];

PANO_PATH_LEN is defined on panorama.h, line 413:

#define PANO_PATH_LEN 255

Crash is explained.

Ubuntulibpano13 package

Comment 2 for bug 1057012

Ubuntu
libpano13 package