Bug 65224 - crash on loading certain png (attached)
Summary: crash on loading certain png (attached)
Status: RESOLVED FIXED
Alias: None
Product: kfile-plugins
Classification: Applications
Component: PNG (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Carsten Pfeiffer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-30 11:46 UTC by Christian Spitzlay
Modified: 2003-09-30 15:48 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
The png that causes the crash (19.52 KB, image/png)
2003-09-30 11:47 UTC, Christian Spitzlay 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Spitzlay 2003-09-30 11:46:43 UTC 
Version:            (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc version 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r1, propolice) 
OS:          Linux

- kuickshow crashes when trying to open a certain PNG (I'll attach it.)
- the thumbnail in konqi's file manager mode is created alright
- the meta data popup crashes though, as soon as the mouse 
touches the file, and takes konqi with it.
- kview works 
- it happens in KDE 3.1.4 as well as in this week's CVS version


> file muehlgasse.png
muehlgasse.png: PNG image data, 400 x 300, 8-bit colormap, non-interlaced

------------------------------
Here's what I get as debug on the command line: 

> kuickshow muehlgasse.png
kdecore (KIconLoader): WARNING: Icon directory /usr/local/kde/share/icons/crystalsvg/ group  not valid.
kio (KSycoca): Trying to open ksycoca from /var/tmp/kdecache-kdedev/ksycoca
kio (KTrader): KServiceTypeProfile::offers( image/png,KFilePlugin )
kio (KTrader): Returning 1 offers
KFileMetainfo (plugins): png plugin
kio (KTrader): KServiceTypeProfile::offers( image/png,KFilePlugin )
kio (KTrader): Returning 1 offers
kio (KTrader): KServiceTypeProfile::offers( image/png,KFilePlugin )
kio (KTrader): Returning 1 offers
KFileMetainfo (plugins): dimensions 400*300
KFileMetaInfo: KFileMetaInfogroup inserting a Dimensions
KFileMetaInfo: KFileMetaInfogroup inserting a BitDepth
KFileMetaInfo: KFileMetaInfogroup inserting a ColorMode
KFileMetaInfo: KFileMetaInfogroup inserting a Compression
KFileMetaInfo: KFileMetaInfogroup inserting a InterlaceMode
KFileMetainfo (plugins): We found a tEXt field
QGArray: Cannot allocate array with negative length
QGArray: Cannot allocate array with negative length
In file tools/qgarray.cpp, line 457: Out of memory
------------------------------

Here's the stacktrace: 

[New Thread 16384 (LWP 9693)]
0x41406137 in waitpid () from /lib/libpthread.so.0
#0  0x41406137 in waitpid () from /lib/libpthread.so.0
#1  0x408ed90e in KCrash::defaultCrashHandler(int) (sig=11) at kcrash.cpp:242
#2  0x41404fea in __pthread_sighandler () from /lib/libpthread.so.0
#3  <signal handler called>
#4  0x4179bb75 in memcpy () from /lib/libc.so.6
#5  0x410a402a in QGArray::duplicate(char const*, unsigned) (this=0xbfffe260, 
    d=0x8246cfd "", len=4294967291) at tools/qgarray.cpp:458
#6  0x40124625 in QMemArray<char>::duplicate(char const*, unsigned) (
    this=0xbfffe260, a=0x8246cfd "", n=4294967291) at qmemarray.h:85
#7  0x4202f063 in KPngPlugin::readInfo(KFileMetaInfo&, unsigned) (
    this=0x823a5e8, info=@0xbfffe320, what=1) at kfile_png.cpp:229
#8  0x403b1408 in KFileMetaInfo::init(KURL const&, QString const&, unsigned) (
    this=0xbfffe3b0, url=@0x81fd2d0, mimeType=@0xbfffe3a0, what=1)
    at kfilemetainfo.cpp:328
#9  0x403b12b0 in KFileMetaInfo (this=0xbfffe3b0, url=@0x81fd2d0, 
    mimeType=@0xbfffe3a0, what=1) at kfilemetainfo.cpp:306
#10 0x40380545 in KFileItem::metaInfo(bool, int) const (this=0x81fd2c8, 
    autoget=true) at kfileitem.cpp:799
#11 0x4003b187 in KuickShow::slotHighlighted(KFileItem const*) (
    this=0x80fefe0, fi=0x81fd2c8) at kuickshow.cpp:432
#12 0x4003e749 in KuickShow::qt_invoke(int, QUObject*) (this=0x80fefe0, 
    _id=81, _o=0xbfffe540) at kuickshow.moc:203
#13 0x40d5b293 in QObject::activate_signal(QConnectionList*, QUObject*) (
    this=0x8107298, clist=0x8159e98, o=0xbfffe540) at kernel/qobject.cpp:2357
#14 0x40401910 in KDirOperator::fileHighlighted(KFileItem const*) (
    this=0x8107298, t0=0x81fd2c8) at kdiroperator.moc:345
#15 0x4040359c in KDirOperator::highlightFile(KFileItem const*) (
    this=0x8107298, i=0x81fd2c8) at kdiroperator.h:731
#16 0x40401eec in KDirOperator::qt_invoke(int, QUObject*) (this=0x8107298, 
    _id=62, _o=0xbfffe680) at kdiroperator.moc:409
#17 0x40052268 in FileWidget::qt_invoke(int, QUObject*) (this=0x8107298, 
    _id=62, _o=0xbfffe680) at filewidget.moc:130
#18 0x40d5b159 in QObject::activate_signal(QConnectionList*, QUObject*) (
    this=0x813da98, clist=0x813c2d0, o=0xbfffe680) at kernel/qobject.cpp:2333
#19 0x403e6200 in KFileViewSignaler::fileHighlighted(KFileItem const*) (
    this=0x813da98, t0=0x81fd2c8) at kfileview.moc:149
#20 0x403eb60e in KFileViewSignaler::highlightFile(KFileItem const*) (
    this=0x813da98, i=0x81fd2c8) at kfileview.h:56
#21 0x403e86f8 in KFileIconView::highlighted(QIconViewItem*) (this=0x812d320, 
    item=0x823a2e8) at kfileiconview.cpp:372
#22 0x403eab2f in KFileIconView::qt_invoke(int, QUObject*) (this=0x812d320, 
    _id=85, _o=0xbfffe7b0) at kfileiconview.moc:201
#23 0x40d5b159 in QObject::activate_signal(QConnectionList*, QUObject*) (
    this=0x812d320, clist=0x811b218, o=0xbfffe7b0) at kernel/qobject.cpp:2333
#24 0x411612d4 in QIconView::selectionChanged(QIconViewItem*) (this=0x812d320, 
    t0=0x823a2e8) at .moc/debug-shared-mt/moc_qiconview.cpp:359
#25 0x40f262e5 in QIconViewItem::setSelected(bool, bool) (this=0x823a2e8, 
    s=true, cb=false) at iconview/qiconview.cpp:1483
#26 0x40f2f577 in QIconView::contentsMousePressEventEx(QMouseEvent*) (
    this=0x812d320, e=0xbfffea40) at iconview/qiconview.cpp:4425
#27 0x40f2f03c in QIconView::contentsMousePressEvent(QMouseEvent*) (
    this=0x812d320, e=0xbfffea40) at iconview/qiconview.cpp:4357
#28 0x406c48f1 in KIconView::contentsMousePressEvent(QMouseEvent*) (
    this=0x812d320, e=0xbfffea40) at kiconview.cpp:307
#29 0x40e7df6a in QScrollView::viewportMousePressEvent(QMouseEvent*) (
    this=0x812d320, e=0xbfffef10) at widgets/qscrollview.cpp:1729
#30 0x40e7d68c in QScrollView::eventFilter(QObject*, QEvent*) (this=0x812d320, 
    obj=0x8143620, e=0xbfffef10) at widgets/qscrollview.cpp:1497
#31 0x40f35758 in QIconView::eventFilter(QObject*, QEvent*) (this=0x812d320, 
    o=0x8143620, e=0xbfffef10) at iconview/qiconview.cpp:5646
#32 0x403e9954 in KFileIconView::eventFilter(QObject*, QEvent*) (
    this=0x812d320, o=0x8143620, e=0xbfffef10) at kfileiconview.cpp:713
#33 0x40d58bf7 in QObject::activate_filters(QEvent*) (this=0x8143620, 
    e=0xbfffef10) at kernel/qobject.cpp:902
#34 0x40d58a75 in QObject::event(QEvent*) (this=0x8143620, e=0xbfffef10)
    at kernel/qobject.cpp:735
#35 0x40d92ac9 in QWidget::event(QEvent*) (this=0x8143620, e=0xbfffef10)
    at kernel/qwidget.cpp:4401
#36 0x40cf8593 in QApplication::internalNotify(QObject*, QEvent*) (
    this=0xbffff350, receiver=0x8143620, e=0xbfffef10)
    at kernel/qapplication.cpp:2582
#37 0x40cf7dbb in QApplication::notify(QObject*, QEvent*) (this=0xbffff350, 
    receiver=0x8143620, e=0xbfffef10) at kernel/qapplication.cpp:2368
#38 0x4085e16f in KApplication::notify(QObject*, QEvent*) (this=0xbffff350, 
    receiver=0x8143620, event=0xbfffef10) at kapplication.cpp:492
#39 0x40c8edfc in QApplication::sendSpontaneousEvent(QObject*, QEvent*) (
    receiver=0x8143620, event=0xbfffef10) at qapplication.h:493
#40 0x40c88553 in QETWidget::translateMouseEvent(_XEvent const*) (
    this=0x8143620, event=0xbffff250) at kernel/qapplication_x11.cpp:4347
#41 0x40c86234 in QApplication::x11ProcessEvent(_XEvent*) (this=0xbffff350, 
    event=0xbffff250) at kernel/qapplication_x11.cpp:3525
#42 0x40c9ff15 in QEventLoop::processEvents(unsigned) (this=0x80c9490, flags=4)
    at kernel/qeventloop_x11.cpp:192
#43 0x40d0e221 in QEventLoop::enterLoop() (this=0x80c9490)
    at kernel/qeventloop.cpp:198
#44 0x40d0e13a in QEventLoop::exec() (this=0x80c9490)
    at kernel/qeventloop.cpp:145
#45 0x40cf8703 in QApplication::exec() (this=0xbffff350)
    at kernel/qapplication.cpp:2705
#46 0x40044f56 in kdemain (argc=1, argv=0xbffff4c4) at main.cpp:64
#47 0x080486da in main (argc=1, argv=0xbffff4c4) at kuickshow.la.cpp:2
#48 0x417377a7 in __libc_start_main () from /lib/libc.so.6
Comment 1 Christian Spitzlay 2003-09-30 11:47:47 UTC 
Created attachment 2644 [details]
The png that causes the crash
Comment 2 Maksim Orlovich 2003-09-30 15:13:31 UTC 
Confirm a bug in the PNG metainfo plugin. (Affects a lot more than Kuickshow -- konq 
too)
Comment 3 Maksim Orlovich 2003-09-30 15:48:25 UTC 
Subject: kdegraphics/kfile-plugins/png

CVS commit by orlovich: 

Fix range check for some extremely bogus size values. 
CCMAIL: 65224-done@bugs.kde.org


  M +8 -5      kfile_png.cpp   1.21


--- kdegraphics/kfile-plugins/png/kfile_png.cpp  #1.20:1.21
@@ -220,8 +220,12 @@ bool KPngPlugin::readInfo( KFileMetaInfo
                     // the text comes after the key, but isn't null terminated
                     uchar* text = &CHUNK_DATA(data,index, keysize+1);
-                    int textsize = CHUNK_SIZE(data, index)-keysize-1;
+                    uint textsize = CHUNK_SIZE(data, index)-keysize-1;
 
-                    // security check
-                    if ( (uint)(text - data) + textsize > f.size())
+                    // security check, also considering overflow wraparound from the addition --
+                    // we may endup with a /smaller/ index if we wrap all the way around
+                    uint firstIndex       = (uint)(text - data);
+                    uint onePastLastIndex = firstIndex + textsize;
+
+                    if ( onePastLastIndex > f.size() || onePastLastIndex <= firstIndex)
                         goto end;