Closed
Bug 1444734
Opened 6 years ago
Closed 6 years ago
use-of-uninitialized-value in read_nested_curveType
Categories
(Core :: Graphics: Color Management, defect)
Core
Graphics: Color Management
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | fixed |
People
(Reporter: u473386, Assigned: nical)
Details
Attachments
(2 files)
193 bytes,
image/png
|
Details | |
788 bytes,
patch
|
bas.schouten
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36 Steps to reproduce: ==6510==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x4a17a7 in read_u32 QCMS/qcms/iccread.c:95:6 #1 0x4a8360 in read_curveType QCMS/qcms/iccread.c:432:18 #2 0x4a813e in read_nested_curveType QCMS/qcms/iccread.c:514:22 #3 0x4a5588 in read_tag_lutmABType QCMS/qcms/iccread.c:652:3 #4 0x4a0f06 in qcms_profile_from_memory QCMS/qcms/iccread.c:1103:21 Uninitialized value was created by an allocation of 'tag_len' in the stack frame of function 'read_nested_curveType' #0 0x4a7fb0 in read_nested_curveType QCMS/qcms/iccread.c:508 There are no security implications.
Comment 2•6 years ago
|
||
Could you please provide more information on what you are doing here?
Flags: needinfo?(pdknsk)
Comment 3•6 years ago
|
||
Closing due to lack of response from the reporter.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
This happens when the call to read_curveType in read_nested_curveType fails at the non-last iteration or earlier, for num_channels > 1. Then (uninitialized) tag_len is added to channel_offset, which on next iteration causes the bug at read_u32 in read_curveType. If there is an MSAN-build of Firefox, this PNG will reproduce it.
A possible obvious fix is to always initialize the variable, but I think the actual bug is probably that the loop should break after invalid_source.
Updated•6 years ago
|
Status: RESOLVED → REOPENED
Component: Untriaged → GFX: Color Management
Ever confirmed: true
Product: Firefox → Core
Resolution: INCOMPLETE → ---
Assignee | ||
Comment 8•6 years ago
|
||
Good catch pdknsk! I agree that the loop should break after invalid_source. Do you want to make a patch for this (just so that your name is in the hg log to give credit where it's due since you did all of the hard work here)? Otherwise I'll cook up a patch. Assigning to myself in the mean time as a reminder.
Assignee: nobody → nical.bugzilla
Flags: needinfo?(pdknsk)
Assignee | ||
Comment 10•6 years ago
|
||
Attachment #8986105 -
Flags: review?(bas)
Updated•6 years ago
|
Attachment #8986105 -
Flags: review?(bas) → review+
Comment 11•6 years ago
|
||
Pushed by nsilva@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3dc86f7109f6 Bail out of read_nested_curveType when encountering an invalid source. r=Bas
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/3dc86f7109f6
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•