Created attachment 132949 [details] reproducer Exempi crashes with an assertion error on the attached WebP image: $ exempi -x assert.webp processing file assert.webp dump_xmp for file assert.webp exempi: ../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp:58: void WEBP::PutLE24(XMP_Uns8*, XMP_Uns32): Assertion `val < (1 << 24)' failed. Aborted Backtrace: #0 0xb7fd8d40 in __kernel_vsyscall () #1 0xb7a84dc0 in __libc_signal_restore_set (set=0xbffff010) at ../sysdeps/unix/sysv/linux/nptl-signals.h:79 #2 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xb7a86287 in __GI_abort () at abort.c:89 #4 0xb7a7da17 in __assert_fail_base (fmt=0xb7bb96ac "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0xb7f64e36 "val < (1 << 24)", file=0xb7f64ddc "../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp", line=58, function=0xb7f64ec0 "void WEBP::PutLE24(XMP_Uns8*, XMP_Uns32)") at assert.c:92 #5 0xb7a7da9b in __GI___assert_fail (assertion=0xb7f64e36 "val < (1 << 24)", file=0xb7f64ddc "../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp", line=58, function=0xb7f64ec0 "void WEBP::PutLE24(XMP_Uns8*, XMP_Uns32)") at assert.c:101 #6 0xb7f3cfbc in WEBP::PutLE24 (val=4294967295, buf=0x805ac47 "") at ../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp:58 #7 WEBP::VP8XChunk::height (this=0x805ac10, val=0) at WEBP_Support.cpp:152 #8 0xb7f3d5e6 in WEBP::VP8XChunk::VP8XChunk (this=0x805ac10, parent=0x805aa10) at WEBP_Support.cpp:126 #9 0xb7f3daca in WEBP::Container::Container (this=0x805aa10, handler=0x805a8d0) at WEBP_Support.cpp:201 #10 0xb7ee1232 in WEBP_MetaHandler::CacheFileData (this=0x805a8d0) at WEBP_Handler.cpp:85 #11 0xb7e9b696 in DoOpenFile (thiz=thiz@entry=0x805a720, clientIO=clientIO@entry=0x0, clientPath=<optimized out>, format=538976288, openFlags=<optimized out>) at XMPFiles.cpp:1076 #12 0xb7e9cf08 in XMPFiles::OpenFile (this=0x805a720, clientPath=0xbffff816 "assert.webp", format=538976288, openFlags=1) at XMPFiles.cpp:1179 #13 0xb7e98c1f in WXMPFiles_OpenFile_1 (xmpObjRef=0x805a720, filePath=0xbffff816 "assert.webp", format=538976288, openFlags=1, wResult=0xbffff494) at WXMPFiles.cpp:233 #14 0xb7e5d885 in TXMPFiles<std::string>::OpenFile (this=0x8057cf8, filePath=0xbffff816 "assert.webp", format=538976288, openFlags=1) at ../public/include/client-glue/TXMPFiles.incl_cpp:313 #15 0xb7e557a0 in xmp_files_open_new (path=0xbffff816 "assert.webp", options=XMP_OPEN_READ) at exempi.cpp:281 #16 0x0804935a in get_xmp_from_file (filename=filename@entry=0xbffff816 "assert.webp", no_reconcile=no_reconcile@entry=false, is_an_xmp=is_an_xmp@entry=false) at main.cpp:235 #17 0x080493e5 in dump_xmp (filename=filename@entry=0xbffff816 "assert.webp", no_reconcile=no_reconcile@entry=false, is_an_xmp=is_an_xmp@entry=false, outio=0xb7c0dd60 <_IO_2_1_stdout_>) at main.cpp:250 #18 0x080499aa in process_file (filename=0xbffff816 "assert.webp", no_reconcile=<optimized out>, is_an_xmp=<optimized out>, write_in_place=false, dump_xml=true, action=0, value_name="", prop_value="", output="") at main.cpp:340 #19 0x08049d66 in main (argc=<optimized out>, argv=<optimized out>) at main.cpp:187 Tested with git master (0320c32a388964498911d7ebdec6561687d2f6c6). Found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/
val is 0 - 1. And unsigned. VP8XChunk::VP8XChunk must be sanitized to not pass 0 to height() or width()
Fixed in 9e76a7782a54a242f18d609e7ba32bf1c430a5e4 in the 2.4 branch
and in master
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.