GNOME Bugzilla – Bug 739785
gdk_pixbuf_animation_new_from_file assert on malformed PNG file
Last modified: 2016-10-08 11:52:31 UTC
When gdk_pixbuf_animation_new_from_file() is called on a malformed PNG file this will cause an assert. This has the potential to crash applications (I first encountered this in claws-mail). See attached sample code: * Compile: gcc `pkg-config --libs --cflags glib-2.0 gdk-pixbuf-2.0` gdk-crash.c -o gdk-crash * Run on good PNG file: ./gdk-crash good.png - nothing happens * Run on bad PNG file: ./gdk-crash crash.png - assert I'll attack gdk-crash.c and crash.png.
Created attachment 290173 [details] crash.png
Created attachment 290174 [details] gdk-crash.c
doesn't crash here. can you provide a stacktrace ?
gdb backtrace: GdkPixbuf:ERROR:/var/tmp/portage/x11-libs/gdk-pixbuf-2.30.8/work/gdk-pixbuf-2.30.8/gdk-pixbuf/gdk-pixbuf-animation.c:250:gdk_pixbuf_animation_new_from_file: assertion failed: (animation) Program received signal SIGABRT, Aborted. 0x00007ffff70a6237 in raise () from /lib64/libc.so.6 (gdb) bt
+ Trace 234316
I re-tried this with latest git head code and can reproduce it there also. It can also be triggered with a much smaller example, just a 2-byte-file.
Created attachment 290267 [details] 2-byte-file to cause assert
still doesn't crash here :-(
Created attachment 290771 [details] full backtrace Full backtrace attached. Generated with Fedora 21 (x86_64). Using the "malformed png file": http://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=1447 $ gcc -g test.c -o test $(pkg-config --cflags --libs gdk-pixbuf-2.0) $ ./test 2670-sample.png ** GdkPixbuf:ERROR:gdk-pixbuf-animation.c:250:gdk_pixbuf_animation_new_from_file: assertion failed: (animation) Aborted (core dumped)
The problem being that the "animation" ptr is initialized to NULL in line 222 prior to loading the image, and later on up to end-of-file it does not receive any value, so the assertion in line 250 doesn't hold true: 215 } else if (image_module->begin_load != NULL) { 222 animation = NULL; 225 context = image_module->begin_load (NULL, prepared_notif y, NULL, &animation, error); 226 if (!context) 227 goto fail_begin_load; 228 229 while (!feof (f) && !ferror (f)) { 230 length = fread (buffer, 1, sizeof (buffer), f); 231 if (length > 0) { 232 if (!image_module->load_increment (conte xt, buffer, length, error)) { 233 error = NULL; 234 goto fail_load_increment; 235 } 236 } 237 } 238 239 success = TRUE; 240 241 fail_load_increment: 242 if (!image_module->stop_load (context, error)) 243 success = FALSE; 244 245 fail_begin_load: 246 fclose (f); 247 248 if (success) { 249 /* If there was no error, there must be an animation that was successfully loaded */ 250 g_assert (animation);
I can no longer reproduce this, so I assume this has been fixed in the meantime.