Package: apng2gif
Version: 1.7-1
Severity: important
Dear Maintainer,
Q.) What led up to the situation?
A.) In read_chunk function, the line "pChunk->p = new unsigned
char[pChunk->size]" is trying to allocate pChunk->size amount of memory where
this pChunk->size is read from the png file. So, if this pChunk->size is set to
a huge value, it can result in the crash of the program.
Q.) What exactly did you do (or not do) that was effective (or ineffective)?
A.) Just have to modify the relavent offset in the png file so that the
pChunk->size value is huge.
Steps to reproduce:
Use the makefile in the attachment and compile the program (Attaching
makefile just as a reference).
Use the input.png file in the attachment as input to the program and
run it:
apng2gif input.png
Q.) What was the outcome of this action?
A.) Program will try to allocate huge amount of memory and can result in a
crash.
Sample Output:
apng2gif 1.7
Reading './crashes_submitted/largememoryallocation/input.png'...
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
Aborted (core dumped)
Analysis:
gdb backtrace:
#0 0xb7fdd424 in __kernel_vsyscall ()
#1 0xb7d15687 in __GI_raise (sig=sig@entry=0x6) at
.../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7d18ab3 in __GI_abort () at abort.c:89
#3 0xb7f28405 in __gnu_cxx::__verbose_terminate_handler() () from
/usr/lib/i386-linux-gnu/libstdc++.so.6
#4 0xb7f26063 in ?? () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#5 0xb7f2609f in std::terminate() () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#6 0xb7f26306 in __cxa_throw () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#7 0xb7f26916 in operator new(unsigned int) () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#8 0xb7f269cb in operator new[](unsigned int) () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#9 0x0804e78e in read_chunk (f=0x88e0008, pChunk=0xbffff410) at
apng2gif.cpp:135
#10 0x08049921 in load_apng (szIn=0xbffff842
"./crashes_submitted/largememoryallocation/input.png", frames=...,
num_loops=0xbffff4bc) at apng2gif.cpp:267
#11 0x0804e3f9 in main (argc=0x2, argv=0xbffff6c4) at apng2gif.cpp:1336
#12 0xb7d00af3 in __libc_start_main (main=0x804df2a <main(int, char**)>,
argc=0x2, argv=0xbffff6c4, init=0x80500a0 <__libc_csu_init>, fini=0x8050110
<__libc_csu_fini>,
rtld_fini=0xb7fed160 <_dl_fini>, stack_end=0xbffff6bc) at libc-start.c:287
#13 0x08048e71 in _start ()
The value of pChunk->size is 0xffffff8c; which is very large that caused the
allocation to fail.
Q.) What outcome did you expect instead?
A.) Maybe some check to see if pChunk->size is greater than the size of png or
proper exception handling over memory allocation using new to gracefully quit
the program or using malloc instead of new to check the return pointer is null
or not.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: i386 (i686)
Kernel: Linux 3.13.0-32-generic (SMP w/2 CPU cores)
PACKAGE = apng2gif
CC = gcc
CFLAGS = -Wall -pedantic
CFLAGS_OPT = -g
LIBS = -lstdc++ -lm -lpng -lz
all :
$(CC) $(CFLAGS) $(CFLAGS_OPT) -o apng2gif apng2gif.cpp $(LIBS)
..PHONY : clean
clean :
rm -rf apng2gif
