Package: python-gamera
Version: 3.4.2+svn1431-1
Tags: security
Usertags: afl
Gamera crashes when trying to load the attached image:
$ python -c 'from gamera.plugins.png_support import load_PNG;
load_PNG("crash.png")'
libpng warning: Incorrect bKGD chunk length
libpng warning: Ignoring bad adaptive filter type
*** Error in `python': free(): invalid next size (fast): 0x09b7c100 ***
Aborted
Valgrind says it's a heap-based buffer overflow:
==9715== Invalid write of size 1
==9715== at 0x402E053: memcpy (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9715== by 0x50F7722: ??? (in /lib/i386-linux-gnu/libpng12.so.0.50.0)
==9715== by 0x50FE9BD: png_read_row (in
/lib/i386-linux-gnu/libpng12.so.0.50.0)
==9715== by 0x50D765D:
load_PNG_simple<Gamera::ImageView<Gamera::ImageData<Gamera::Rgb<unsigned char> > >
> (png_support.hpp:144)
==9715== by 0x50D765D: load_PNG(char const*, int) (png_support.hpp:211)
==9715== by 0x50D7D9F: call_load_PNG (_png_support.cpp:152)
==9715== by 0x810AE9C: call_function (ceval.c:4035)
==9715== by 0x810AE9C: PyEval_EvalFrameEx (ceval.c:2681)
==9715== by 0x81235EC: PyEval_EvalCodeEx (ceval.c:3267)
==9715== by 0x81235EC: function_call.lto_priv.287 (funcobject.c:526)
==9715== by 0x80F69F3: PyObject_Call (abstract.c:2529)
==9715== by 0x81FBAB6: instance_call.lto_priv.186 (classobject.c:2153)
==9715== by 0x810B8EE: PyObject_Call (abstract.c:2529)
==9715== by 0x810B8EE: do_call (ceval.c:4253)
==9715== by 0x810B8EE: call_function (ceval.c:4058)
==9715== by 0x810B8EE: PyEval_EvalFrameEx (ceval.c:2681)
==9715== by 0x8109AD4: PyEval_EvalCodeEx (ceval.c:3267)
==9715== by 0x8175D34: PyEval_EvalCode (ceval.c:669)
==9715== by 0x8175D34: run_mod (pythonrun.c:1371)
==9715== by 0x8175D34: PyRun_StringFlags (pythonrun.c:1334)
==9715== Address 0x4d14ce4 is 0 bytes after a block of size 36 alloc'd
==9715== at 0x4029DFC: operator new[](unsigned int) (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9715== by 0x50D7537: create_data (image_data.hpp:220)
==9715== by 0x50D7537: ImageData (image_data.hpp:141)
==9715== by 0x50D7537: create (image_types.hpp:296)
==9715== by 0x50D7537: load_PNG(char const*, int) (png_support.hpp:210)
==9715== by 0x50D7D9F: call_load_PNG (_png_support.cpp:152)
==9715== by 0x810AE9C: call_function (ceval.c:4035)
==9715== by 0x810AE9C: PyEval_EvalFrameEx (ceval.c:2681)
==9715== by 0x81235EC: PyEval_EvalCodeEx (ceval.c:3267)
==9715== by 0x81235EC: function_call.lto_priv.287 (funcobject.c:526)
==9715== by 0x80F69F3: PyObject_Call (abstract.c:2529)
==9715== by 0x81FBAB6: instance_call.lto_priv.186 (classobject.c:2153)
==9715== by 0x810B8EE: PyObject_Call (abstract.c:2529)
==9715== by 0x810B8EE: do_call (ceval.c:4253)
==9715== by 0x810B8EE: call_function (ceval.c:4058)
==9715== by 0x810B8EE: PyEval_EvalFrameEx (ceval.c:2681)
==9715== by 0x8109AD4: PyEval_EvalCodeEx (ceval.c:3267)
==9715== by 0x8175D34: PyEval_EvalCode (ceval.c:669)
==9715== by 0x8175D34: run_mod (pythonrun.c:1371)
==9715== by 0x8175D34: PyRun_StringFlags (pythonrun.c:1334)
==9715== by 0x8176885: PyRun_SimpleStringFlags (pythonrun.c:975)
==9715== by 0x80DD6E1: Py_Main (main.c:584)
This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages python-gamera depends on:
ii dpkg 1.17.25
ii libc6 2.19-18
ii libgcc1 1:5.1.1-5
ii libgomp1 5.1.1-5
ii libpng12-0 1.2.50-2+b2
ii libstdc++6 5.1.1-5
ii libtiff5 4.0.3-13
ii python 2.7.9-1
pn python:any <none>
--
Jakub Wilk
