Closed Bug 1444734 Opened 2 years ago Closed 2 years ago
use-of-uninitialized-value in read
_nested _curve Type
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36 Steps to reproduce: ==6510==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x4a17a7 in read_u32 QCMS/qcms/iccread.c:95:6 #1 0x4a8360 in read_curveType QCMS/qcms/iccread.c:432:18 #2 0x4a813e in read_nested_curveType QCMS/qcms/iccread.c:514:22 #3 0x4a5588 in read_tag_lutmABType QCMS/qcms/iccread.c:652:3 #4 0x4a0f06 in qcms_profile_from_memory QCMS/qcms/iccread.c:1103:21 Uninitialized value was created by an allocation of 'tag_len' in the stack frame of function 'read_nested_curveType' #0 0x4a7fb0 in read_nested_curveType QCMS/qcms/iccread.c:508 There are no security implications.
Could you please provide more information on what you are doing here?
Closing due to lack of response from the reporter.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
I don't understand the question.
This happens when the call to read_curveType in read_nested_curveType fails at the non-last iteration or earlier, for num_channels > 1. Then (uninitialized) tag_len is added to channel_offset, which on next iteration causes the bug at read_u32 in read_curveType. If there is an MSAN-build of Firefox, this PNG will reproduce it.
A possible obvious fix is to always initialize the variable, but I think the actual bug is probably that the loop should break after invalid_source.
Status: RESOLVED → REOPENED
Component: Untriaged → GFX: Color Management
Ever confirmed: true
Product: Firefox → Core
Resolution: INCOMPLETE → ---
Good catch pdknsk! I agree that the loop should break after invalid_source. Do you want to make a patch for this (just so that your name is in the hg log to give credit where it's due since you did all of the hard work here)? Otherwise I'll cook up a patch. Assigning to myself in the mean time as a reminder.
Assignee: nobody → nical.bugzilla
I'm happy with you submitting it.
Attachment #8986105 - Flags: review?(bas) → review+
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/3dc86f7109f6 Bail out of read_nested_curveType when encountering an invalid source. r=Bas
You need to log in before you can comment on or make changes to this bug.