Summary: | WEBP: delete on uninitialized pointer | ||
---|---|---|---|
Product: | exempi | Reporter: | Jakub Wilk <jwilk> |
Component: | Problems | Assignee: | Hubert Figuiere <hub> |
Status: | RESOLVED FIXED | QA Contact: | Hubert Figuiere <hub> |
Severity: | normal | ||
Priority: | medium | CC: | jwilk |
Version: | unspecified | ||
Hardware: | Other | ||
OS: | All | ||
Whiteboard: | [release:2.4.4] | ||
i915 platform: | i915 features: |
Description
Jakub Wilk
2017-08-13 15:33:04 UTC
Exempi crashes on some WEBP files: > $ printf 'RIFFxxxxWEBP' > bad-free.webp > $ exempi -x bad-free.webp > processing file bad-free.webp > dump_xmp for file bad-free.webp > Segmentation fault Backtrace: > #0 0xb7edb5d5 in WEBP_MetaHandler::~WEBP_MetaHandler (this=0x8000fe28, __in_chrg=<optimized out>) at WEBP_Handler.cpp:70 > #1 0xb7edb63a in WEBP_MetaHandler::~WEBP_MetaHandler (this=0x8000fe28, __in_chrg=<optimized out>) at WEBP_Handler.cpp:72 > #2 0xb7e93577 in DoOpenFile (thiz=thiz@entry=0x80014170, clientIO=clientIO@entry=0x0, clientPath=clientPath@entry=0xbffff801 "bad-free.webp", format=<optimized out>, openFlags=<optimized out>) at XMPFiles.cpp:1078 > #3 0xb7e950a7 in XMPFiles::OpenFile (this=0x80014170, clientPath=0xbffff801 "bad-free.webp", format=538976288, openFlags=1) at XMPFiles.cpp:1179 > #4 0xb7e91278 in WXMPFiles_OpenFile_1 (xmpObjRef=<optimized out>, filePath=<optimized out>, format=<optimized out>, openFlags=<optimized out>, wResult=<optimized out>) at WXMPFiles.cpp:233 > #5 0xb7e44cc6 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile (this=0x8000ff10, filePath=0xbffff801 "bad-free.webp", format=538976288, openFlags=1) at ../public/include/client-glue/TXMPFiles.incl_cpp:313 > #6 0xb7e3c76a in xmp_files_open_new (path=0xbffff801 "bad-free.webp", options=XMP_OPEN_READ) at exempi.cpp:281 > #7 0x800022c4 in get_xmp_from_file (filename=0xbffff801 "bad-free.webp", no_reconcile=<optimized out>, is_an_xmp=<optimized out>) at main.cpp:235 > #8 0x800017cb in dump_xmp (outio=<optimized out>, is_an_xmp=<optimized out>, no_reconcile=<optimized out>, filename=0xbffff801 "bad-free.webp") at main.cpp:250 > #9 process_file (output="", prop_value="", value_name="", action=<optimized out>, dump_xml=<optimized out>, write_in_place=<optimized out>, is_an_xmp=<optimized out>, no_reconcile=<optimized out>, filename=0xbffff801 "bad-free.webp") at main.cpp:340 AIUI, this happens because the WEBP_MetaHandler class doesn't initialize the psirMgr and iptcMgr members, but it tries to delete them in the destructor. Tested with git master (b1859382628b5ba961548980e3b0725d6f934b20). Found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/ Fixed in the 2.4.x branch at 7ab1ed70f72a1ccb257b2be264b3ed0c00a6f1d7 Thanks for the report. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.