Package: libgd2-xpm Version: 2.0.33-2 Severity: normal Tags: patch
Note that this bug is very similar to http://bugs.debian.org/308981 but it is distinct. Given a corrupted GIF *buffer*, gd-2.0.33's gdImageCreateFromGifPtr function gets stuck in an infinite loop. Note that gdImageCreateFromGif does not have this problem. Here's a simple program to illustrate the bug: ----------------- #include <stdio.h> #include <stdlib.h> #include <gd.h> int main() { char buf[40000]; int len = fread (buf, 1, sizeof buf, stdin); gdImagePtr p = gdImageCreateFromGifPtr (len, buf); exit (p != NULL ? EXIT_SUCCESS : EXIT_FAILURE); } ----------------- Here is an invalid GIF image that triggers the bug: $ gzip < in.gif |uuencode in.gif.gz begin 644 in.gif.gz M'XL(`"X#C4(``\53/6Y480R<51X22L0AZ!%"3),H5826B`9%2BZ0QLV>R'>: MGJ-$5,Z,.01?YV=[/#^[C[]^WMZ]GG#"VP4SHYF>J1G._*NE:4UIJ,&VU=,] MU<,>[+1JNJ9J6(-=%J<YQ2$'BR5,8PI##!9:0?*J9]W,);^62J*$/>RZ6]5B M"\O#[2Y5B24L+4\W510I+$LO-U00(2QIA;(YFI191(,";"2O>C:2_,&ONMF- M5>C#KJN:U5C!YN%VL<G&ZC<M3Q>::*P=BC<VP^HM-^XH"DS9'$TJ9BEW#&PD MK\8[I<IC%=9**_1AUV1AG;[EMAIL PROTECTED]";[EMAIL PROTECTED];[&M\5J[+,J$\,BJ!@,1R3 MBG(VT`Q20E*:N>2'S<Q66J$/N\9&J*3MJRX<8!)5,@[EMAIL PROTECTED] M%](,Y<2OL(@&!CB_!F4VDOQA/?P/SX<_S\WO\\OSCX>G\_>OWZY.^?3W^/#I 7&A=\";/\3_#QP)_CP/T[158+*CL#```` ` end Recreate e.g., by $ (cd /tmp; uudecode) <paste the begin..end lines here> $ gzip -d /tmp/in.gif.gz Then compile and run the C program: # Compile it: $ gcc -O -W -Wall k.c -lgd # Demonstrate that it hangs; interrupt after a few seconds: $ time ./a.out < /tmp/in.gif Command terminated by signal 2 4.96user 0.00system 0:05.05elapsed 98%CPU (0avgtext+0avgdata 0maxresident)k 0inputs+0outputs (0major+288minor)pagefaults 0swaps # Using the fixed library, it terminates right away: $ time env LD_LIBRARY_PATH=/var/tmp/gd/lib ./a.out < /tmp/in.gif 0.00user 0.00system 0:00.01elapsed 90%CPU (0avgtext+0avgdata 0maxresident)k 0inputs+0outputs (0major+383minor)pagefaults 0swaps [Exit 1] =================== You can demonstrate the infinite loop with a perl/GD one-liner, too. This hangs: perl -MGD -e 'my $d = `cat /tmp/in.gif`; GD::Image->new($d) or die' But with the patched library, it fails, as it should: LD_LIBRARY_PATH=/var/tmp/gd/lib \ perl -MGD -e 'my $d = `cat /tmp/in.gif`; GD::Image->new($d) or die' Died at -e line 1. [Exit 9] ================================ Here's the patch I'm using: [exit the loops upon a negative return value from GetDataBlock] --- gd_gif_in.c.~1~ 2005-05-19 22:52:37.000000000 +0200 +++ gd_gif_in.c 2005-05-20 11:44:17.000000000 +0200 @@ -255,13 +255,13 @@ DoExtension(gdIOCtx *fd, int label, int if ((buf[0] & 0x1) != 0) *Transparent = buf[3]; - while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) + while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0) ; return FALSE; default: break; } - while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) + while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0) ; return FALSE; -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (100, 'unstable'), (99, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11.10 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages libgd2-xpm depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libfontconfig1 2.3.2-1 generic font configuration library ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib ii libjpeg62 6b-10 The Independent JPEG Group's JPEG ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol client li ii libxpm4 4.3.0.dfsg.1-14 X pixmap library ii xlibs 4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu ii zlib1g 1:1.2.2-4 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
