440035 – ASAN heap-buffer-overflow detected by writing of raw profile in PNG export.

Bug 440035 - ASAN heap-buffer-overflow detected by writing of raw profile in PNG export.

Summary: ASAN heap-buffer-overflow detected by writing of raw profile in PNG export.

Status:	RESOLVED FIXED

Alias:	None

Product:	krita
Classification:	Applications
Component:	File formats (other bugs)
Version First Reported In:	git master (please specify the git hash!)
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Krita Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-07-19 12:41 UTC by wolthera
Modified:	2021-07-22 15:04 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/graphics/krita/commit/08ccd3793a9ff82195b8c7e432a30143afb753cd
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description wolthera 2021-07-19 12:41:30 UTC

SUMMARY
Running Krita with asan, go this when trying to save a PNG.

==1726755==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130001219f1 at pc 0x7f5eaf127a6d bp 0x7f5e75cf4dd0 sp 0x7f5e75cf4578
READ of size 370 at 0x6130001219f1 thread T184 (Thread (pooled))
    #0 0x7f5eaf127a6c  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
    #1 0x7f5ea9f184ab in writeRawProfile /home/wolthera/krita/src/libs/ui/kis_png_converter.cpp:170
    #2 0x7f5ea9f3076e in KisPNGConverter::buildFile(QIODevice*, QRect const&, double, double, KisSharedPtr<KisPaintDevice>, QTypedArrayData<KisSharedPtr<KisAnnotation> >::iterator, QTypedArrayData<KisSharedPtr<KisAnnotation> >::iterator, KisPNGOptions, KisMetaData::Store*) /home/wolthera/krita/src/libs/ui/kis_png_converter.cpp:1251
    #3 0x7f5e7b8bfb1b in KisPNGExport::convert(KisDocument*, QIODevice*, KisPinnedSharedPtr<KisPropertiesConfiguration>) /home/wolthera/krita/src/plugins/impex/png/kis_png_export.cc:82
    #4 0x7f5eaaaa6406 in KisImportExportManager::doExportImpl(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>) /home/wolthera/krita/src/libs/ui/KisImportExportManager.cpp:731
    #5 0x7f5eaaaa7484 in KisImportExportManager::doExport(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool) /home/wolthera/krita/src/libs/ui/KisImportExportManager.cpp:675
    #6 0x7f5eaaab675d in KisImportExportErrorCode std::__invoke_impl<KisImportExportErrorCode, KisImportExportErrorCode (KisImportExportManager::*&)(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool), KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&, KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&>(std::__invoke_memfun_deref, KisImportExportErrorCode (KisImportExportManager::*&)(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool), KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&, KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&) /usr/include/c++/9/bits/invoke.h:73
    #7 0x7f5eaaab675d in std::__invoke_result<KisImportExportErrorCode (KisImportExportManager::*&)(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool), KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&, KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&>::type std::__invoke<KisImportExportErrorCode (KisImportExportManager::*&)(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool), KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&, KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&>(KisImportExportErrorCode (KisImportExportManager::*&)(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool), KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&, KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&) /usr/include/c++/9/bits/invoke.h:96
    #8 0x7f5eaaab675d in KisImportExportErrorCode std::_Bind<KisImportExportErrorCode (KisImportExportManager::*(KisImportExportManager*, QString, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool))(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool)>::__call<KisImportExportErrorCode, , 0ul, 1ul, 2ul, 3ul, 4ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul>) /usr/include/c++/9/functional:402
    #9 0x7f5eaaab675d in KisImportExportErrorCode std::_Bind<KisImportExportErrorCode (KisImportExportManager::*(KisImportExportManager*, QString, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool))(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool)>::operator()<, KisImportExportErrorCode>() /usr/include/c++/9/functional:484
    #10 0x7f5eaaab675d in QtConcurrent::StoredFunctorCall0<KisImportExportErrorCode, std::_Bind<KisImportExportErrorCode (KisImportExportManager::*(KisImportExportManager*, QString, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool))(QString const&, QSharedPointer<KisImportExportFilter>, KisPinnedSharedPtr<KisPropertiesConfiguration>, bool)> >::runFunctor() /usr/include/x86_64-linux-gnu/qt5/QtConcurrent/qtconcurrentstoredfunctioncall.h:60
    #11 0x7f5eaaab675d in QtConcurrent::RunFunctionTask<KisImportExportErrorCode>::run() /usr/include/x86_64-linux-gnu/qt5/QtConcurrent/qtconcurrentrunbase.h:108
    #12 0x7f5ea35e7151  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xd1151)
    #13 0x7f5ea35e3d4b  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xcdd4b)
    #14 0x7f5ea30fb608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    #15 0x7f5ea3248292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x6130001219f1 is located 0 bytes to the right of 369-byte region [0x613000121880,0x6130001219f1)
allocated by thread T184 (Thread (pooled)) here:
    #0 0x7f5eaf1cdbc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x7f5ea2da22e1 in png_malloc (/usr/lib/x86_64-linux-gnu/libpng16.so.16+0xc2e1)

Thread T184 (Thread (pooled)) created by T0 here:
    #0 0x7f5eaf0fa805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x7f5ea35e3804 in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xcd804)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c) 
Shadow bytes around the buggy address:
  0x0c268001c2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268001c2f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268001c300: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c268001c310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c268001c320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c268001c330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
  0x0c268001c340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1726755==ABORTING

Comment 1 sh_zam 2021-07-22 15:03:37 UTC

Git commit 01f361d685f6c7e8ae7998f9a1d81c8e2a4cc056 by Sharaf Zaman.
Committed on 22/07/2021 at 11:11.
Pushed by lsegovia into branch 'master'.

Fix ASAN heap-buffer-overflow

strlen requires a null terminator to terminate. If memory isn't filled
with it beforehand, running strlen on it, can be dangerous.

M  +1    -0    libs/ui/kis_png_converter.cpp

https://invent.kde.org/graphics/krita/commit/01f361d685f6c7e8ae7998f9a1d81c8e2a4cc056

Comment 2 amyspark 2021-07-22 15:04:37 UTC

Git commit 08ccd3793a9ff82195b8c7e432a30143afb753cd by L. E. Segovia, on behalf of Sharaf Zaman.
Committed on 22/07/2021 at 15:04.
Pushed by lsegovia into branch 'krita/5.0'.

Fix ASAN heap-buffer-overflow

strlen requires a null terminator to terminate. If memory isn't filled
with it beforehand, running strlen on it, can be dangerous.
(cherry picked from commit 01f361d685f6c7e8ae7998f9a1d81c8e2a4cc056)

M  +1    -0    libs/ui/kis_png_converter.cpp

https://invent.kde.org/graphics/krita/commit/08ccd3793a9ff82195b8c7e432a30143afb753cd