Package: dvipng Version: 1.9-2 Severity: normal [Cc: to the security team since I haven't thought out if this can be exploitable by a malicious dvi file]
The attached (broken) dvi file crashes dvipng:
------------------------------------------------------------
$ gdb --args dvipng broken.dvi
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r
Starting program: /usr/bin/dvipng broken.dvi
This is /usr/bin/dvipng 1.9 Copyright 2002-2006 Jan-Ake Larsson
[1 (10)]
Program received signal SIGSEGV, Segmentation fault.
SetChar (c=41357) at draw.c:118
118 if (ptr->data == NULL)
(gdb) bt
#0 SetChar (c=41357) at draw.c:118
#1 0x0000000000406195 in DrawPage (hoffset=<value optimized out>,
voffset=<value optimized out>) at draw.c:353
#2 0x00000000004064d8 in DrawPages () at draw.c:415
#3 0x00000000004028ac in main (argc=2, argv=<value optimized out>) at
dvipng.c:108
(gdb) bt full
#0 SetChar (c=41357) at draw.c:118
ptr = (struct char_entry *) 0x55666666773300
#1 0x0000000000406195 in DrawPage (hoffset=<value optimized out>,
voffset=<value optimized out>) at draw.c:353
command = (unsigned char *) 0x516920 "\206¡\215iN "
#2 0x00000000004064d8 in DrawPages () at draw.c:415
i = 10
dvi_pos = (struct page_list *) 0x770a80
x_width = <value optimized out>
y_width = 527
x_offset = 0
y_offset = 0
#3 0x00000000004028ac in main (argc=2, argv=<value optimized out>) at
dvipng.c:108
parsestdin = false
(gdb) print ptr
$1 = (struct char_entry *) 0x55666666773300
(gdb) print *ptr
Cannot access memory at address 0x55666666773300
------------------------------------------------------------
Sami
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages dvipng depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libgd2-noxpm 2.0.34~rc1-2 GD Graphics Library version 2 (wit
ii libkpathsea4 3.0-30 path search library for teTeX (run
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libt1-5 5.1.0-2 Type 1 font rasterizer library - r
ii texlive-base-bin 2005.dfsg.2-12 TeX Live: Essential binaries
ii zlib1g 1:1.2.3-13 compression library - runtime
dvipng recommends no packages.
-- no debconf information
broken.dvi
Description: TeX dvi file
signature.asc
Description: Digital signature
