Bug 734556 – Fedora 20 (GNOME 3.12) crashes on malformed PNG file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 734556 - Fedora 20 (GNOME 3.12) crashes on malformed PNG file


Summary:	Fedora 20 (GNOME 3.12) crashes on malformed PNG file


Status:	RESOLVED OBSOLETE

Product:	gdk-pixbuf
Classification:	Platform
Component:	general
Version:	2.30.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gdk-pixbuf-maint
QA Contact:	gdk-pixbuf-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-08-09 15:38 UTC by Tom 'spot' Callaway
Modified:	2015-09-15 12:06 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Fix (1.22 KB, patch) 2014-11-30 09:47 UTC, Benjamin Gilbert	none	Details \| Review
io-png.c: Remove GCCism (44.69 KB, patch) 2015-09-09 14:56 UTC, Fan, Chun-wei	none	Details \| Review

Description Tom 'spot' Callaway 2014-08-09 15:38:45 UTC

First noticed this when navigating through homedir on Nautilus and having Nautilus crash. Ran the core dump through gdb and noted that it was crashing each time trying to draw a specific PNG (attached in a tarball).

Reproduced in eog (it segfaulted). Gimp did not crash, but failed to load the entire image.

pngfix confirmed that it is a malformed PNG file.

It is possible that the PNG is possessed. Giving it to you so that you can reproduce this issue and hopefully fix it (overflows are bad).

Comment 1 André Klapper 2014-08-09 17:11:20 UTC

Attachment got lost, it seems...

gdb stacktrace also very welcome to paste here.

Comment 2 Matthias Clasen 2014-08-16 13:20:17 UTC

We'll need the malformed image to make progress on this

Comment 3 Tom 'spot' Callaway 2014-08-16 17:57:32 UTC

Sorry, looks like it was too large to attach. I've uploaded it here:

https://spot.fedorapeople.org/broken-png-inside.tar.bz2

Comment 4 Benjamin Gilbert 2014-11-30 09:47:23 UTC

Created attachment 291818 [details] [review]
Fix

Comment 5 Benjamin Gilbert 2014-11-30 09:48:23 UTC

The problem is the dimensions of the PNG, not the fact that it's corrupt.  There's an integer overflow when populating the array of row pointers.

Comment 6 Matthias Clasen 2015-08-25 19:26:57 UTC

Should be fixed in commit 8714ab407c54d5989d15a78eb15550c2d52d95b8

Comment 7 Fan, Chun-wei 2015-09-09 14:56:36 UTC

Created attachment 311000 [details] [review]
io-png.c: Remove GCCism

Hi,

Unfortunately 8714ab407c54d5989d15a78eb15550c2d52d95b8 would break builds on non-GCC, as we are doing pointer arithmetic on a gpointer (i.e. void *), which is a GCCism.

With blessings, thank you!

Comment 8 Fan, Chun-wei 2015-09-15 12:06:31 UTC

Hi,

Closing this in favor of a new bug, as the patch I have hear would break builds on GCC.

With blessings, thank you!