Closed Bug 1444734 Opened 2 years ago Closed 2 years ago

use-of-uninitialized-value in read_nested_curveType

Categories

(Core :: GFX: Color Management, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox62 --- fixed

People

(Reporter: u473386, Assigned: nical)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36

Steps to reproduce:

==6510==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4a17a7 in read_u32 QCMS/qcms/iccread.c:95:6
    #1 0x4a8360 in read_curveType QCMS/qcms/iccread.c:432:18
    #2 0x4a813e in read_nested_curveType QCMS/qcms/iccread.c:514:22
    #3 0x4a5588 in read_tag_lutmABType QCMS/qcms/iccread.c:652:3
    #4 0x4a0f06 in qcms_profile_from_memory QCMS/qcms/iccread.c:1103:21

  Uninitialized value was created by an allocation of 'tag_len' in the stack frame of function 'read_nested_curveType'
    #0 0x4a7fb0 in read_nested_curveType QCMS/qcms/iccread.c:508

There are no security implications.
Could you please provide more information on what you are doing here?
Flags: needinfo?(pdknsk)
Closing due to lack of response from the reporter.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
I don't understand the question.
Flags: needinfo?(pdknsk)
Attached image firefox-1444734
This happens when the call to read_curveType in read_nested_curveType fails at the non-last iteration or earlier, for num_channels > 1. Then (uninitialized) tag_len is added to channel_offset, which on next iteration causes the bug at read_u32 in read_curveType.

If there is an MSAN-build of Firefox, this PNG will reproduce it.
A possible obvious fix is to always initialize the variable, but I think the actual bug is probably that the loop should break after invalid_source.
Status: RESOLVED → REOPENED
Component: Untriaged → GFX: Color Management
Ever confirmed: true
Product: Firefox → Core
Resolution: INCOMPLETE → ---
Good catch pdknsk! I agree that the loop should break after invalid_source. Do you want to make a patch for this (just so that your name is in the hg log to give credit where it's due since you did all of the hard work here)? Otherwise I'll cook up a patch.
Assigning to myself in the mean time as a reminder.
Assignee: nobody → nical.bugzilla
Flags: needinfo?(pdknsk)
I'm happy with you submitting it.
Flags: needinfo?(pdknsk)
Attachment #8986105 - Flags: review?(bas) → review+
Pushed by nsilva@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3dc86f7109f6
Bail out of read_nested_curveType when encountering an invalid source. r=Bas
https://hg.mozilla.org/mozilla-central/rev/3dc86f7109f6
Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.