Closed
Bug 405059
Opened 17 years ago
Closed 15 years ago
png_error("Uninitialized row") causes problems
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: asmith16, Assigned: glennrp+bmo)
References
(Blocks 1 open bug)
Details
Attachments
(2 files, 3 obsolete files)
The check for PNG_WARN_UNINITIALIZED_ROW in png_do_read_transformations() is a problem when libpng is configured with the default settings. Because in mozpngconf.h PNG_NO_WARN_UNINITIALIZED_ROW is defined, libpng only gives a warning, which as far as I know is never printed from firefox. With the default configure settings this is an error (for some images), and the decoder breaks. I'm going to attach a patch that will have no effect on mozilla, since that line of code is ifdef-ed out. Please check it in so there is no need to maintain two libpng-apng patches. This may in fact be a security problem, I haven't investigated it thoroughly. Maybe Glenn can tell.
Attachment #289889 -
Flags: superreview?(pavlov)
Attachment #289889 -
Flags: review?(pavlov)
Assignee | ||
Comment 1•17 years ago
|
||
Libpng does not even give a warning because pngconf.h does not set PNG_WARN_UNINITIALIZED_ROW the code in pngrtran.c is ifdef-ed out. If you want to get a warning, it would be better to change the #define in mozlibpng.h from #define PNG_NO_WARN_UNITIALIZED_ROW to #define PNG_WARN_UNITIALIZED_ROW 0 and leave pngrtran.c the way it is. That way you could get the warning, if you want it, by turning on PR_LOGGING.
Assignee | ||
Comment 2•17 years ago
|
||
(In reply to comment #0) > This may in fact be a security problem, I haven't investigated it thoroughly. > Maybe Glenn can tell. The security problem is this: When someone writes an application that calls for row transformations, and fails to call png_read_update_info() in the right place, under some circumstances they can get heap corruption. The PNG_WARN_INITIALIZED_ROW gives them a warning or an error abort instead of an inexplicable crash later on. Firefox does not have such out-of-order function calls, and there is no way to trigger the error via a malformed PNG datastream, and therefore doesn't need the check. A general-purpose libpng does need it because we don't know what programmers are thinking. I haven't got a test case for this situation, so it would be useful if you'd post one of the images that causes problems.
Comment 3•17 years ago
|
||
Comment on attachment 289889 [details] [diff] [review] change png_error to png_warning -ing based on glenns comments
Attachment #289889 -
Flags: superreview?(pavlov)
Attachment #289889 -
Flags: superreview-
Attachment #289889 -
Flags: review?(pavlov)
Attachment #289889 -
Flags: review-
Reporter | ||
Comment 4•17 years ago
|
||
I'll attach the image in a moment. This is the program that fails to read any frames past the first. Compile with: libtool --mode=link gcc -g disassemble2.c $(LIBPNGDIR)/libpng.la -Wall -o disassemble2
Reporter | ||
Comment 5•17 years ago
|
||
Comment 6•17 years ago
|
||
glenn what is the right thing to do here?
Assignee | ||
Comment 7•17 years ago
|
||
The APNG fork fails to initialize PNG_FLAG_ROW_INIT flag in png_progressive_read_reset().
Reporter | ||
Comment 8•17 years ago
|
||
That doesn't help. I probably had a reason for not doing that in png_progressive_read_reset(), I can't remember now.
Assignee | ||
Comment 9•17 years ago
|
||
We should be setting, not clearing, the PNG_FLAG_ROW_INIT flag, in two places, to indicate that row initialization has already occurred while processing the main PNG image.
Attachment #293801 -
Attachment is obsolete: true
Assignee | ||
Updated•17 years ago
|
Attachment #289889 -
Attachment is obsolete: true
Assignee | ||
Comment 10•17 years ago
|
||
(In reply to comment #4) The "disassemble2" test works OK with the "v1" patch on a ubuntu platform.
Reporter | ||
Comment 11•17 years ago
|
||
Yes that works with that test and that image, but breaks all kinds of other things. I don't see a point in spending time changing how the patch works to deal with this issue. Never mind, I'll keep updating the patch on my website separately from Mozilla.
Assignee | ||
Comment 12•15 years ago
|
||
The "v2" patch in bug #463465 appears to fix this bug at least on WinXP.
Assignee | ||
Updated•15 years ago
|
Assignee: nobody → glennrp
Status: NEW → ASSIGNED
Assignee | ||
Updated•15 years ago
|
Attachment #294207 -
Attachment is obsolete: true
Comment 13•15 years ago
|
||
(In reply to comment #12) > The "v2" patch in bug #463465 appears to fix this bug at least on WinXP. Can you confirm this now that the patch has landed?
Assignee | ||
Comment 14•15 years ago
|
||
Looks OK with Firefox 3.5.5 build id Gecko/20091109 installed on Ubuntu 9.10
Assignee | ||
Comment 15•15 years ago
|
||
It also looks ok on WinXP Pro, Minefield 3.7a1pre, Gecko/20091126. Marking "RESOLVED FIXED".
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•