Bug 101913 - Reachable assertion: WEBP::PutLE24(XMP_Uns8*, XMP_Uns32): Assertion `val < (1 << 24)' failed.
Summary: Reachable assertion: WEBP::PutLE24(XMP_Uns8*, XMP_Uns32): Assertion `val < (1...
Alias: None
Product: exempi
Classification: Unclassified
Component: Problems (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Hubert Figuiere
QA Contact: Hubert Figuiere
Whiteboard: [release:2.4.3]
Depends on:
Reported: 2017-07-25 09:59 UTC by Jakub Wilk
Modified: 2017-08-04 02:25 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

reproducer (226 bytes, image/webp)
2017-07-25 09:59 UTC, Jakub Wilk

Description Jakub Wilk 2017-07-25 09:59:53 UTC
Created attachment 132949 [details]

Exempi crashes with an assertion error on the attached WebP image:

  $ exempi -x assert.webp 
  processing file assert.webp
  dump_xmp for file assert.webp
  exempi: ../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp:58: void WEBP::PutLE24(XMP_Uns8*, XMP_Uns32): Assertion `val < (1 << 24)' failed.


  #0  0xb7fd8d40 in __kernel_vsyscall ()
  #1  0xb7a84dc0 in __libc_signal_restore_set (set=0xbffff010) at ../sysdeps/unix/sysv/linux/nptl-signals.h:79
  #2  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
  #3  0xb7a86287 in __GI_abort () at abort.c:89
  #4  0xb7a7da17 in __assert_fail_base (fmt=0xb7bb96ac "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0xb7f64e36 "val < (1 << 24)", file=0xb7f64ddc "../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp", line=58, function=0xb7f64ec0 "void WEBP::PutLE24(XMP_Uns8*, XMP_Uns32)") at assert.c:92
  #5  0xb7a7da9b in __GI___assert_fail (assertion=0xb7f64e36 "val < (1 << 24)", file=0xb7f64ddc "../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp", line=58, function=0xb7f64ec0 "void WEBP::PutLE24(XMP_Uns8*, XMP_Uns32)") at assert.c:101
  #6  0xb7f3cfbc in WEBP::PutLE24 (val=4294967295, buf=0x805ac47 "") at ../../../XMPFiles/source/FormatSupport/WEBP_Support.hpp:58
  #7  WEBP::VP8XChunk::height (this=0x805ac10, val=0) at WEBP_Support.cpp:152
  #8  0xb7f3d5e6 in WEBP::VP8XChunk::VP8XChunk (this=0x805ac10, parent=0x805aa10) at WEBP_Support.cpp:126
  #9  0xb7f3daca in WEBP::Container::Container (this=0x805aa10, handler=0x805a8d0) at WEBP_Support.cpp:201
  #10 0xb7ee1232 in WEBP_MetaHandler::CacheFileData (this=0x805a8d0) at WEBP_Handler.cpp:85
  #11 0xb7e9b696 in DoOpenFile (thiz=thiz@entry=0x805a720, clientIO=clientIO@entry=0x0, clientPath=<optimized out>, format=538976288, openFlags=<optimized out>) at XMPFiles.cpp:1076
  #12 0xb7e9cf08 in XMPFiles::OpenFile (this=0x805a720, clientPath=0xbffff816 "assert.webp", format=538976288, openFlags=1) at XMPFiles.cpp:1179
  #13 0xb7e98c1f in WXMPFiles_OpenFile_1 (xmpObjRef=0x805a720, filePath=0xbffff816 "assert.webp", format=538976288, openFlags=1, wResult=0xbffff494) at WXMPFiles.cpp:233
  #14 0xb7e5d885 in TXMPFiles<std::string>::OpenFile (this=0x8057cf8, filePath=0xbffff816 "assert.webp", format=538976288, openFlags=1) at ../public/include/client-glue/TXMPFiles.incl_cpp:313
  #15 0xb7e557a0 in xmp_files_open_new (path=0xbffff816 "assert.webp", options=XMP_OPEN_READ) at exempi.cpp:281
  #16 0x0804935a in get_xmp_from_file (filename=filename@entry=0xbffff816 "assert.webp", no_reconcile=no_reconcile@entry=false, is_an_xmp=is_an_xmp@entry=false) at main.cpp:235
  #17 0x080493e5 in dump_xmp (filename=filename@entry=0xbffff816 "assert.webp", no_reconcile=no_reconcile@entry=false, is_an_xmp=is_an_xmp@entry=false, outio=0xb7c0dd60 <_IO_2_1_stdout_>) at main.cpp:250
  #18 0x080499aa in process_file (filename=0xbffff816 "assert.webp", no_reconcile=<optimized out>, is_an_xmp=<optimized out>, write_in_place=false, dump_xml=true, action=0, value_name="", prop_value="", output="") at main.cpp:340
  #19 0x08049d66 in main (argc=<optimized out>, argv=<optimized out>) at main.cpp:187

Tested with git master (0320c32a388964498911d7ebdec6561687d2f6c6).

Found using American Fuzzy Lop:
Comment 1 Hubert Figuiere 2017-08-03 03:08:19 UTC
val is 0 - 1. And unsigned.

VP8XChunk::VP8XChunk must be sanitized to not pass 0 to height() or width()
Comment 2 Hubert Figuiere 2017-08-03 03:33:01 UTC
Fixed in 9e76a7782a54a242f18d609e7ba32bf1c430a5e4 in the 2.4 branch
Comment 3 Hubert Figuiere 2017-08-04 02:15:19 UTC
and in master

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.