Bug 102197 - WEBP: delete on uninitialized pointer
Summary: WEBP: delete on uninitialized pointer
Status: RESOLVED FIXED
Alias: None
Product: exempi
Classification: Unclassified
Component: Problems (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Hubert Figuiere
QA Contact: Hubert Figuiere
URL:
Whiteboard: [release:2.4.4]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-13 15:33 UTC by Jakub Wilk
Modified: 2018-02-04 16:15 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Jakub Wilk 2017-08-13 15:33:04 UTC 

    


    


      



        
          Comment 1
        

        
          Jakub Wilk

        

        
        

        
          2017-08-13 15:34:39 UTC
        

      






Exempi crashes on some WEBP files:

> $ printf 'RIFFxxxxWEBP' > bad-free.webp
> $ exempi -x bad-free.webp
> processing file bad-free.webp
> dump_xmp for file bad-free.webp
> Segmentation fault

Backtrace:

> #0  0xb7edb5d5 in WEBP_MetaHandler::~WEBP_MetaHandler (this=0x8000fe28, __in_chrg=<optimized out>) at WEBP_Handler.cpp:70
> #1  0xb7edb63a in WEBP_MetaHandler::~WEBP_MetaHandler (this=0x8000fe28, __in_chrg=<optimized out>) at WEBP_Handler.cpp:72
> #2  0xb7e93577 in DoOpenFile (thiz=thiz@entry=0x80014170, clientIO=clientIO@entry=0x0, clientPath=clientPath@entry=0xbffff801 "bad-free.webp", format=<optimized out>, openFlags=<optimized out>) at XMPFiles.cpp:1078
> #3  0xb7e950a7 in XMPFiles::OpenFile (this=0x80014170, clientPath=0xbffff801 "bad-free.webp", format=538976288, openFlags=1) at XMPFiles.cpp:1179
> #4  0xb7e91278 in WXMPFiles_OpenFile_1 (xmpObjRef=<optimized out>, filePath=<optimized out>, format=<optimized out>, openFlags=<optimized out>, wResult=<optimized out>) at WXMPFiles.cpp:233
> #5  0xb7e44cc6 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile (this=0x8000ff10, filePath=0xbffff801 "bad-free.webp", format=538976288, openFlags=1) at ../public/include/client-glue/TXMPFiles.incl_cpp:313
> #6  0xb7e3c76a in xmp_files_open_new (path=0xbffff801 "bad-free.webp", options=XMP_OPEN_READ) at exempi.cpp:281
> #7  0x800022c4 in get_xmp_from_file (filename=0xbffff801 "bad-free.webp", no_reconcile=<optimized out>, is_an_xmp=<optimized out>) at main.cpp:235
> #8  0x800017cb in dump_xmp (outio=<optimized out>, is_an_xmp=<optimized out>, no_reconcile=<optimized out>, filename=0xbffff801 "bad-free.webp") at main.cpp:250
> #9  process_file (output="", prop_value="", value_name="", action=<optimized out>, dump_xml=<optimized out>, write_in_place=<optimized out>, is_an_xmp=<optimized out>, no_reconcile=<optimized out>, filename=0xbffff801 "bad-free.webp") at main.cpp:340

AIUI, this happens because the WEBP_MetaHandler class doesn't initialize the psirMgr and iptcMgr members, but it tries to delete them in the destructor.

Tested with git master (b1859382628b5ba961548980e3b0725d6f934b20).

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

    


    


      



        
          Comment 2
        

        
          Hubert Figuiere

        

        
        

        
          2017-08-15 02:50:44 UTC
        

      






Fixed in the 2.4.x branch at 7ab1ed70f72a1ccb257b2be264b3ed0c00a6f1d7

Thanks for the report.

    



  






  














    


  Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.