| Summary: | cairo 1.14.12 hangs in read_png called from cairo_image_surface_create_from_png_stream on malformed png | ||
|---|---|---|---|
| Product: | cairo | Reporter: | Orivej Desh <orivej> |
| Component: | png functions | Assignee: | Carl Worth <cworth> |
| Status: | RESOLVED FIXED | QA Contact: | cairo-bugs mailing list <cairo-bugs> |
| Severity: | critical | ||
| Priority: | medium | CC: | ajohnson, bryce, coffeekingms, orivej, vcunat |
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | attachment-22870-0.html | ||
|
Description
Orivej Desh
2017-12-18 19:23:01 UTC
That patch looks absolutely completely wrong. It is returning from a setjmp and then the caller is calling the code that does longjmp. Not allowed. *** Bug 104324 has been marked as a duplicate of this bug. *** Fixed in 2acc4382c54bd8239361ceed14423412a343d311 for 1.14 branch and 82f4028532c11152a0110f1b277e3358dfca6545 for master. @Orivej Desh: Thanks for the report, but what kind of compiler settings does NixOS use so that this trivial static function is not inlined by the compiler?!? (At least that's the only explanation that I have to turn this bug into something that actually breaks) @Chris Wilson: I think you got your bug number wrong. If I qualify `png_setjmp` with `inline`, it warns (thanks to -Winline):
cairo-png.c: In function ‘png_setjmp’:
cairo-png.c:163:1: warning: function ‘png_setjmp’ can never be inlined because it uses setjmp [-Winline]
png_setjmp (png_struct *png)
^~~~~~~~~~
cairo-png.c: In function ‘write_png’:
cairo-png.c:163:1: warning: inlining failed in call to ‘png_setjmp’: function not inlinable [-Winline]
cairo-png.c:241:9: note: called from here
if (png_setjmp (png))
^~~~~~~~~~~~~~~~
cairo-png.c: In function ‘read_png’:
cairo-png.c:163:1: warning: inlining failed in call to ‘png_setjmp’: function not inlinable [-Winline]
png_setjmp (png_struct *png)
^~~~~~~~~~
cairo-png.c:582:9: note: called from here
if (png_setjmp (png)) {
^~~~~~~~~~~~~~~~
We are building with gcc 6.4.0 (and glibc 2.26). Does your version of gcc inline it?
(In reply to Uli Schlachter from comment #3) > @Chris Wilson: I think you got your bug number wrong. I've already corrected the dupe pointer in #104324. @Orivej Desh: Okay, thanks for testing & sorry that I was wrong. I was thinking "surely there is a test for this" and wondered why only NixOS noticed this bug. My logic was "if the compiler inlines this new function, then everything should still work, so it can only be on NixOS that the inlining does not happen". I did not actually know that compilers are smart enough to detect setjmp() as doing "weird things". Anyway, I went ahead and now wrote a test for this (no, cairo did not yet have one already). Pushed as commit 6b0593827b072abd701ea47448981bcc9bdde9f3. (And yes, this test fails before the faulty commit is reverted and passed after the revert.) Thank you for the fix and for the test! Magic detection for the following game rom images is not provided, depending souly on file extension alone. Application-x-snes-rom, application-x-atari-2600-rom, application-x-nes-rom. Additionally, support for the following game image files is not provided. Sony Playstation 1 through 4, xbox, xbox 360, xbox 1 game images. Nintendo Wii u and nintendo switch images. I'd like to help add these. I'd also like to help improve the icons used for most of the game image types, replacing the generic executible icon with an icon representing the game image. Example, a blank nes cartridge, a blank snes cartridge, a blank disk or mini disk, etc. I do not expect this all to be done for me I will actively participate in getting this bug fixed @kendell clark: This bug was fixed half a year ago and I have no idea what you are talking about (and it seems to me you are not talking about cairo). I have noticed that there were no new stable releases since 1.14.12. This is not very good since this bug has security implications. It's also a bit unfortunate that 1.15.12 changelog [1] does not mention it in the list of bug fixes, even though the bug was present in 1.15.10, and distributors should know the severity of not upgrading from the unpatched 1.15.10 and 1.14.12. [1] https://www.cairographics.org/news/cairo-1.15.12/ Created attachment 140025 [details] attachment-22870-0.html hi I'm so sorry about that, I was filing a new bug against shared mime info, something about adding a bunch of gaming console rom types, and I foolishly thinking I was on the new bug page posted a comment, tried to remove it but I couldn't figure out how. I did the next best thing by sending an email to mailto:xdg@freedesktop.org telling the list so someone who has access could delete it. I know nothing about kairo other than it has something to do with open gl. I'm visually impaired and use a screen reader, orca, to do my computing. It doesn't excuse it of course, but I'm hoping it does at least minimize any inconvenience. Thanks Kendell Clark know nothing about kiro other than it has something to do with open gl, sorry about that. On 06/03/2018 02:10 PM, bugzilla-daemon@freedesktop.org wrote: > > *Comment # 9 <https://bugs.freedesktop.org/show_bug.cgi?id=104325#c9> > on bug 104325 <https://bugs.freedesktop.org/show_bug.cgi?id=104325> > from Uli Schlachter <mailto:psychon@znc.in> * > @kendell clark: This bug was fixed half a year ago and I have no idea what you > are talking about (and it seems to me you are not talking about cairo). > ------------------------------------------------------------------------ > You are receiving this mail because: > > * You are on the CC list for the bug. > |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.