Closed
Bug 405059
Opened 18 years ago
Closed 16 years ago
png_error("Uninitialized row") causes problems
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: asmith16, Assigned: glennrp+bmo)
References
(Blocks 1 open bug)
Details
Attachments
(2 files, 3 obsolete files)
test image
The check for PNG_WARN_UNINITIALIZED_ROW in png_do_read_transformations() is a problem when libpng is configured with the default settings.
Because in mozpngconf.h PNG_NO_WARN_UNINITIALIZED_ROW is defined, libpng only gives a warning, which as far as I know is never printed from firefox.
With the default configure settings this is an error (for some images), and the decoder breaks.
I'm going to attach a patch that will have no effect on mozilla, since that line of code is ifdef-ed out. Please check it in so there is no need to maintain two libpng-apng patches.
This may in fact be a security problem, I haven't investigated it thoroughly. Maybe Glenn can tell.
Attachment #289889 -
Flags: superreview?(pavlov)
Attachment #289889 -
Flags: review?(pavlov)
|
Assignee | |
Comment 1•18 years ago
|
||
Libpng does not even give a warning because pngconf.h does not set
PNG_WARN_UNINITIALIZED_ROW the code in pngrtran.c is ifdef-ed out.
If you want to get a warning, it would be better to change the #define
in mozlibpng.h from
#define PNG_NO_WARN_UNITIALIZED_ROW
to
#define PNG_WARN_UNITIALIZED_ROW 0
and leave pngrtran.c the way it is.
That way you could get the warning, if you want it, by turning on PR_LOGGING.
|
|
Assignee | |
Comment 2•18 years ago
|
||
(In reply to comment #0)
> This may in fact be a security problem, I haven't investigated it thoroughly.
> Maybe Glenn can tell.
The security problem is this: When someone writes an application that calls for row transformations, and fails to call png_read_update_info() in the right place, under some circumstances they can get heap corruption. The PNG_WARN_INITIALIZED_ROW gives them a warning or an error abort instead of an inexplicable crash later on. Firefox does not have such out-of-order function calls, and there is no way to trigger the error via a malformed PNG datastream, and therefore doesn't need the check. A general-purpose libpng does need it because we don't know what programmers are thinking.
I haven't got a test case for this situation, so it would be useful if you'd post one of the images that causes problems.
|
||
Comment 3•18 years ago
|
||
Comment on attachment 289889 [details] [diff] [review]
change png_error to png_warning
-ing based on glenns comments
Attachment #289889 -
Flags: superreview?(pavlov)
Attachment #289889 -
Flags: superreview-
Attachment #289889 -
Flags: review?(pavlov)
Attachment #289889 -
Flags: review-
|
Reporter | |
Comment 4•18 years ago
|
||
I'll attach the image in a moment. This is the program that fails to read any frames past the first.
Compile with: libtool --mode=link gcc -g disassemble2.c $(LIBPNGDIR)/libpng.la -Wall -o disassemble2
|
|
Reporter | |
Comment 5•18 years ago
|
||
|
|
||
Comment 6•18 years ago
|
||
glenn what is the right thing to do here?
|
|
Assignee | |
Comment 7•18 years ago
|
||
The APNG fork fails to initialize PNG_FLAG_ROW_INIT flag in png_progressive_read_reset().
|
|
Reporter | |
Comment 8•18 years ago
|
||
That doesn't help. I probably had a reason for not doing that in png_progressive_read_reset(), I can't remember now.
|
|
Assignee | |
Comment 9•18 years ago
|
||
We should be setting, not clearing, the PNG_FLAG_ROW_INIT flag, in two places, to indicate that row initialization has already occurred while processing the main PNG image.
Attachment #293801 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•18 years ago
|
Attachment #289889 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 10•18 years ago
|
||
(In reply to comment #4)
The "disassemble2" test works OK with the "v1" patch on a ubuntu platform.
|
|
Reporter | |
Comment 11•18 years ago
|
||
Yes that works with that test and that image, but breaks all kinds of other things.
I don't see a point in spending time changing how the patch works to deal with this issue. Never mind, I'll keep updating the patch on my website separately from Mozilla.
|
|
Assignee | |
Comment 12•16 years ago
|
||
The "v2" patch in bug #463465 appears to fix this bug at least on WinXP.
|
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → glennrp
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•16 years ago
|
Attachment #294207 -
Attachment is obsolete: true
|
||
Comment 13•16 years ago
|
||
(In reply to comment #12)
> The "v2" patch in bug #463465 appears to fix this bug at least on WinXP.
Can you confirm this now that the patch has landed?
|
|
Assignee | |
Comment 14•16 years ago
|
||
Looks OK with Firefox 3.5.5 build id Gecko/20091109 installed on Ubuntu 9.10
|
|
Assignee | |
Comment 15•16 years ago
|
||
It also looks ok on WinXP Pro, Minefield 3.7a1pre, Gecko/20091126.
Marking "RESOLVED FIXED".
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•