Closed Bug 218758 Opened 22 years ago Closed 22 years ago

Array bounds error in png decoder

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: tor, Assigned: tor)

Details

Attachments

(1 file)

stop read off the end of interlace buffer for RGB interlaced PNGs 22 years ago tor 873 bytes, patch	pavlov : review+ bryner : superreview+	Details \| Diff \| Splinter Review

tor

Assignee

Description

•

22 years ago

[E] ABR: Array bounds read in memcpy {2 occurrences} Reading 632 bytes from 0x105e3fbc (2 bytes at 0x105e4232 illegal) Address 0x105e3fbc is 114660 bytes into a 115290 byte block at 0x105c7fd8 Address 0x105e3fbc points to a malloc'd block in heap 0x02520000 Thread ID: 0x3e0 Error location memcpy [gkgfxwin.dll] gfxImageFrame::SetImageData(BYTE const*,UINT,int) [gfxImageFrame.cpp:285] } if (aData) => memcpy(imgData + newOffset, aData, aLength); else memset(imgData + newOffset, 0, aLength); mImage->UnlockImagePixels(PR_FALSE); row_callback [nsPNGDecoder.cpp:397] } decoder->mFrame->SetImageData(decoder->colorLine, bpr, row_num*bpr); #else => decoder->mFrame->SetImageData((PRUint8*)line, bpr, row_num*bpr); #endif break; case gfxIFormats::RGB_A1: png_push_have_row [pngpread.c:1511] { if (png_ptr->row_fn != NULL) (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, => (int)png_ptr->pass); } void PNGAPI png_push_process_row [pngpread.c:812] int i; for (i = 0; i < 8 && png_ptr->pass == 0; i++) { => png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); /* updates png_ptr->pass */ } if (png_ptr->pass == 2) /* pass 1 might be empty */ png_process_IDAT_data [pngpread.c:763] png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; break; } => png_push_process_row(png_ptr); png_ptr->zstream.avail_out = (uInt)png_ptr->irowbytes; png_ptr->zstream.next_out = png_ptr->row_buf; } png_push_read_IDAT [pngpread.c:694] png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) => png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); png_ptr->idat_size -= save_size; png_ptr->buffer_size -= save_size; png_process_some_data [pngpread.c:59] } case PNG_READ_IDAT_MODE: { => png_push_read_IDAT(png_ptr); break; } #if defined(PNG_READ_tEXt_SUPPORTED) png_process_data [pngpread.c:35] while (png_ptr->buffer_size) { => png_process_some_data(png_ptr, info_ptr); } } ReadDataOut [nsPNGDecoder.cpp:144] } png_process_data(decoder->mPNG, decoder->mInfo, => NS_REINTERPRET_CAST(unsigned char *, NS_CONST_CAST(char *, fromRawSegment)), count); *writeCount = count; return NS_OK; Allocation location malloc [dbgheap.c:129] PR_Malloc [prmem.c:474] #if defined (WIN16) return PR_MD_malloc( (size_t) size); #else => return malloc(size); #endif } nsMemoryImpl::Alloc(UINT) [nsMemoryImpl.cpp:323] nsMemoryImpl::Alloc(PRSize size) { NS_ASSERTION(size, "nsMemoryImpl::Alloc of 0"); => void* result = MALLOC1(size); if (! result) { // Request an asynchronous flush FlushMemory(NS_LITERAL_STRING("alloc-failure").get(), PR_FALSE); nsMemory::Alloc(UINT) [nsMemory.cpp:87] if (!ENSURE_ALLOCATOR) return nsnull; => return gMemory->Alloc(size); } NS_COM void* info_callback [nsPNGDecoder.cpp:311] decoder->alphaLine = (PRUint8 *)nsMemory::Alloc(abpr); if (interlace_type == PNG_INTERLACE_ADAM7) { => decoder->interlacebuf = (PRUint8 *)nsMemory::Alloc(channels*width*height); decoder->ibpr = channels*width; if (!decoder->interlacebuf) { longjmp(decoder->mPNG->jmpbuf, 5); // NS_ERROR_OUT_OF_MEMORY png_push_have_info [pngpread.c:1496] png_push_have_info(png_structp png_ptr, png_infop info_ptr) { if (png_ptr->info_fn != NULL) => (*(png_ptr->info_fn))(png_ptr, info_ptr); } void /* PRIVATE */ png_push_read_chunk [pngpread.c:259] png_ptr->idat_size = png_ptr->push_length; png_ptr->mode |= PNG_HAVE_IDAT; png_ptr->process_mode = PNG_READ_IDAT_MODE; => png_push_have_info(png_ptr, info_ptr); png_ptr->zstream.avail_out = (uInt)png_ptr->irowbytes; png_ptr->zstream.next_out = png_ptr->row_buf; return; png_process_some_data [pngpread.c:54] } case PNG_READ_CHUNK_MODE: { => png_push_read_chunk(png_ptr, info_ptr); break; } case PNG_READ_IDAT_MODE: png_process_data [pngpread.c:35] while (png_ptr->buffer_size) { => png_process_some_data(png_ptr, info_ptr); } } ReadDataOut [nsPNGDecoder.cpp:144] } png_process_data(decoder->mPNG, decoder->mInfo, => NS_REINTERPRET_CAST(unsigned char *, NS_CONST_CAST(char *, fromRawSegment)), count); *writeCount = count; return NS_OK;

tor

Assignee

Comment 1

•

22 years ago

Attached patch stop read off the end of interlace buffer for RGB interlaced PNGs — Details — Splinter Review

tor

Assignee

Comment 2

•

22 years ago

-> me

Assignee: jdunn → tor

tor

Assignee

Updated

•

22 years ago

Attachment #131135 - Flags: superreview?(bryner)

Attachment #131135 - Flags: review?(pavlov)

Brian Ryner (not reading)

Updated

•

22 years ago

Attachment #131135 - Flags: superreview?(bryner) → superreview+

Stuart Parmenter

Updated

•

22 years ago

Attachment #131135 - Flags: review?(pavlov) → review+

tor

Assignee

Comment 3

•

22 years ago

Checked in.

Status: NEW → RESOLVED

Closed: 22 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Array bounds error in png decoder

Categories

(Core :: Graphics: ImageLib, defect)

Tracking

()

People

(Reporter: tor, Assigned: tor)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Updated

Updated

Comment 3

Attachment

General

Description

File Name

Content Type