After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 795249 - (CVE-2018-10112) crash on reading malformed PNG
(CVE-2018-10112)
crash on reading malformed PNG
Status: RESOLVED OBSOLETE
Product: GEGL
Classification: Other
Component: gegl binary
unspecified
Other Mac OS
: Normal normal
: ---
Assigned To: Default Gegl Component Owner
Default Gegl Component Owner
Depends on:
Blocks:
 
 
Reported: 2018-04-14 05:06 UTC by xqx
Modified: 2018-05-22 12:22 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
malformed PNG possibly causing crash (218 bytes, application/octet-stream)
2018-04-14 12:39 UTC, Øyvind Kolås (pippin) 		Details

Description xqx 2018-04-14 05:06:17 UTC 
another outbound write bug in gegl.
the debug information as follows:

========
gdb --args gegl $POC
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

(gegl:201): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead

(gegl:201): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead
LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range.
LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range.

** (gegl:201): WARNING **: No display handler operation found for gegl:display
LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range.
[New Thread 0x7fffef432700 (LWP 202)]

Thread 1 "gegl" received signal SIGSEGV, Segmentation fault.
babl_format_get_bytes_per_pixel (format=0x824871a0) at babl-format.c:538
538       if (format->class_type == BABL_FORMAT)
$ bt

+ Trace 238557

  • #0 babl_format_get_bytes_per_pixel
    at babl-format.c line 538
  • #1 constructed
    at ../../../gegl/gegl/buffer/gegl-tile-backend.c line 128
  • #2 gegl_tile_backend_swap_constructed
    at ../../../gegl/gegl/buffer/gegl-tile-backend-swap.c line 825
  • #3 ??
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #4 g_object_new_valist
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #5 g_object_new
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #6 gegl_buffer_constructor
    at ../../../gegl/gegl/buffer/gegl-buffer.c line 578
  • #7 ??
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #8 g_object_new_valist
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #9 g_object_new
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #10 gegl_node_get_cache
    at ../../../gegl/gegl/graph/gegl-node.c line 2015
  • #11 gegl_processor_set_rectangle
    at ../../../gegl/gegl/process/gegl-processor.c line 366
  • #12 ??
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #13 g_object_new_valist
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #14 g_object_new
    from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
  • #15 gegl_node_new_processor
    at ../../../gegl/gegl/process/gegl-processor.c line 829
  • #16 gegl_node_process
    at ../../../gegl/gegl/graph/gegl-node.c line 1825
  • #17 main
    at ../../gegl/bin/gegl.c line 255 


=======
the poc please refer to :
https://github.com/xiaoqx/pocs/blob/master/gegl/gegl-outbound-write-2
Comment 1 Øyvind Kolås (pippin) 2018-04-14 12:38:27 UTC 
Does not crash here libpng balks at the invalid PNG, are you testing git master? 

pippin@yogy:~/foo$ gegl  malformed-png  -o /tmp/a.png 

** (gegl:9939): WARNING **: 14:37:21.757: gegl:png-load wrong png header

** (gegl:9939): WARNING **: 14:37:21.757: gegl:png-load wrong png header

** (gegl:9939): WARNING **: 14:37:21.757: gegl:png-load wrong png header

(gegl:9939): GEGL-WARNING **: 14:37:21.757: Output of gegl:nop 0x55cf2303c0a0 has no format

(gegl:9939): GEGL-WARNING **: 14:37:21.758: Output of gegl:nop 0x55cf2303c0a0 has no format

(gegl:9939): GEGL-WARNING **: 14:37:21.758: Output of gegl:nop 0x55cf2303c0a0 has no format

(gegl:9939): GEGL-WARNING **: 14:37:21.758: gegl-operation.c:157 Eeek: processing 0px rectangle

(gegl:9939): GEGL-WARNING **: 14:37:21.758: Output of gegl:nop 0x55cf2303c0a0 has no format

(gegl:9939): GEGL-WARNING **: 14:37:21.758: Output of gegl:nop 0x55cf2303c0a0 has no format
Comment 2 Øyvind Kolås (pippin) 2018-04-14 12:39:44 UTC 
Created attachment 370925 [details]
malformed PNG possibly causing crash

attaching the relevant test file to the bug report
Comment 3 GNOME Infrastructure Team 2018-05-22 12:22:02 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gegl/issues/65.