Bug 701071 – Loading a fuzzed .g3 file fails

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 701071 - Loading a fuzzed .g3 file fails


Summary:	Loading a fuzzed .g3 file fails


Status:	RESOLVED OBSOLETE

Product:	GIMP
Classification:	Other
Component:	Plugins
Version:	2.8.4
Hardware:	Other Linux

Importance:	Normal minor
Target Milestone:	---
Assigned To:	GIMP Bugs
QA Contact:	GIMP Bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-05-27 07:16 UTC by Esa Jääskelä
Modified:	2018-05-24 13:43 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Picture causing the problem (54.96 KB, application/octet-stream) 2013-05-27 07:16 UTC, Esa Jääskelä	Details

Description Esa Jääskelä 2013-05-27 07:16:15 UTC

Created attachment 245371 [details]
Picture causing the problem

Loading a fuzzed .g3-file fails. I get following stack trace from Address Sanitizer:

=================================================================
==3322==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000004264d9 sp 0x7fff79834240 bp 0x7fff79834370 T0)
AddressSanitizer can not provide additional info.
    #0 0x4264d8 in emitgimp ../../../gimp-2.8.4/plug-ins/file-faxg3/faxg3.c:0
    #1 0x426345 in load_image ../../../gimp-2.8.4/plug-ins/file-faxg3/faxg3.c:0
    #2 0x425817 in run ../../../gimp-2.8.4/plug-ins/file-faxg3/faxg3.c:0
    #3 0x7f28a0155855 in gimp_proc_run ../../gimp-2.8.4/libgimp/gimp.c:0
    #4 0x7f28a0151773 in gimp_loop ../../gimp-2.8.4/libgimp/gimp.c:0
    #5 0x7f28a0150e4e in gimp_main ??:0
    #6 0x7f289e49f76c in ?? ??:0
    #7 0x425544 in _start ??:0
==3322==ABORTING

Following errors from GIMP:
--------------
Calling error for procedure 'gimp-image-new':
Procedure 'gimp-image-new' has been called with value '0' for argument 'width' (#1, type GimpInt32). This value is out of range.

Calling error for procedure 'gimp-image-set-filename':
Procedure 'gimp-image-set-filename' has been called with an invalid ID for argument 'image'. Most likely a plug-in is trying to work on an image that doesn't exist any longer.

Calling error for procedure 'gimp-layer-new':
Procedure 'gimp-layer-new' has been called with an invalid ID for argument 'image'. Most likely a plug-in is trying to work on an image that doesn't exist any longer.

Too many error messages!
Messages are redirected to stderr.
--------------

And this also:
(file-faxg3:3899): LibGimp-CRITICAL **: GimpDrawable *gimp_drawable_get(gint32): assertion `width > 0 && height > 0 && bpp > 0' failed


I think that fuzzing messes the file so that the width turns to zero (or so the loading plug-in at least thinks), which makes the loading plug-in file-faxg3 crash. Happens on Ubuntu 12.04, OSX 10.8.3 and Ubuntu 6, all running Gimp 2.8.4. Not really a big problem I suppose, so marked this as minor

Comment 1 Michael Natterer 2013-05-27 21:09:39 UTC

Indeed, hilariously broken.

Comment 2 GNOME Infrastructure Team 2018-05-24 13:43:32 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gimp/issues/475.