Closed Bug 405059 Opened 17 years ago Closed 15 years ago

png_error("Uninitialized row") causes problems

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: asmith16, Assigned: glennrp+bmo)

References

(Blocks 1 open bug)

Details

Attachments

(2 files, 3 obsolete files)

simple program to see the problem
7.50 KB, application/octet-stream
Details
test image
272.15 KB, image/png
Details
Attached patch change png_error to png_warning (obsolete) — Splinter Review 
The check for PNG_WARN_UNINITIALIZED_ROW in png_do_read_transformations() is a problem when libpng is configured with the default settings.

Because in mozpngconf.h PNG_NO_WARN_UNINITIALIZED_ROW is defined, libpng only gives a warning, which as far as I know is never printed from firefox.

With the default configure settings this is an error (for some images), and the decoder breaks.

I'm going to attach a patch that will have no effect on mozilla, since that line of code is ifdef-ed out. Please check it in so there is no need to maintain two libpng-apng patches.

This may in fact be a security problem, I haven't investigated it thoroughly. Maybe Glenn can tell.
Attachment #289889 - Flags: superreview?(pavlov)
Attachment #289889 - Flags: review?(pavlov)
Libpng does not even give a warning because pngconf.h does not set
PNG_WARN_UNINITIALIZED_ROW the code in pngrtran.c is ifdef-ed out.
If you want to get a warning, it would be better to change the #define
in mozlibpng.h from

    #define PNG_NO_WARN_UNITIALIZED_ROW

to

    #define PNG_WARN_UNITIALIZED_ROW 0

and leave pngrtran.c the way it is.

That way you could get the warning, if you want it, by turning on PR_LOGGING.
(In reply to comment #0)
 
> This may in fact be a security problem, I haven't investigated it thoroughly.
> Maybe Glenn can tell.

The security problem is this: When someone writes an application that calls for row transformations, and fails to call png_read_update_info() in the right place, under some circumstances they can get heap corruption.  The PNG_WARN_INITIALIZED_ROW gives them a warning or an error abort instead of an inexplicable crash later on.  Firefox does not have such out-of-order function calls, and there is no way to trigger the error via a malformed PNG datastream, and therefore doesn't need the check.  A general-purpose libpng does need it because we don't know what programmers are thinking.

I haven't got a test case for this situation, so it would be useful if you'd post one of the images that causes problems.


Comment on attachment 289889 [details] [diff] [review]
change png_error to png_warning

-ing based on glenns comments
Attachment #289889 - Flags: superreview?(pavlov)
Attachment #289889 - Flags: superreview-
Attachment #289889 - Flags: review?(pavlov)
Attachment #289889 - Flags: review-
I'll attach the image in a moment. This is the program that fails to read any frames past the first.

Compile with: libtool --mode=link gcc -g disassemble2.c $(LIBPNGDIR)/libpng.la -Wall -o disassemble2
Attached image test image 

    
    

    
  
glenn what is the right thing to do here?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix APNG initialization bug (obsolete)
        — Splinter Review
      

    


  
The APNG fork fails to initialize PNG_FLAG_ROW_INIT flag in png_progressive_read_reset().

    
    

    
  
That doesn't help. I probably had a reason for not doing that in png_progressive_read_reset(), I can't remember now.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix APNG initialization bug (v1) (obsolete)
        — Splinter Review
      

    


  
We should be setting, not clearing, the PNG_FLAG_ROW_INIT flag, in two places, to indicate that row initialization has already occurred while processing the main PNG image.

        Attachment #293801 -
        Attachment is obsolete: true

    
  

        Attachment #289889 -
        Attachment is obsolete: true

    
    

    
  
(In reply to comment #4)
The "disassemble2" test works OK with the "v1" patch on a ubuntu platform.

    
    

    
  
Yes that works with that test and that image, but breaks all kinds of other things.

I don't see a point in spending time changing how the patch works to deal with this issue. Never mind, I'll keep updating the patch on my website separately from Mozilla.


    
  
Blocks: 495609

    
    

    
  
The "v2" patch in bug #463465 appears to fix this bug at least on WinXP.

    
  
Assignee: nobody → glennrp
Status: NEW → ASSIGNED

    
  

        Attachment #294207 -
        Attachment is obsolete: true

    
    

    
  
(In reply to comment #12)
> The "v2" patch in bug #463465 appears to fix this bug at least on WinXP.

Can you confirm this now that the patch has landed?

    
    

    
  
Looks OK with Firefox 3.5.5 build id Gecko/20091109 installed on Ubuntu 9.10

    
    

    
  
It also looks ok on WinXP Pro, Minefield 3.7a1pre, Gecko/20091126.
Marking "RESOLVED FIXED".
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: