gil: Segmentation fault when reading purposely corrupted png image (related to jpeg)
Actual behavior
Segmentation fault - signal SIGSEGV.
In png read.hpp in functions which use png library like apply and read_rows is missing setjmp setup as is done in jpeg read.hpp. Latest setjmp is used in png reader_backend.hpp in function read_header so for example any png error during decompression in read_rows in png_read_rows will cause longjmp to jump to this place which is inside function which frame at this point is already destroyed and so subsequent call to png_destroy_read_struct causes crash.
libpng error: Not enough image data
Process 20104 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
frame #0: 0x00007ffff7bb3cbd libpng16.so.16`png_destroy_read_struct + 13
libpng16.so.16`png_destroy_read_struct:
Expected behavior
Gracefully thrown exception.
C++ Minimal Working Example
#include <boost/gil.hpp>
#include <boost/gil/extension/io/png.hpp>
int main()
{
std::initializer_list<unsigned char> corrupt_png = {
0x89, 'P', 'N', 'G', 0x0D, 0x0A, 0x1A, 0x0A,
0x00, 0x00, 0x00, 0x0D,
'I', 'H', 'D', 'R',
0x00, 0x00, 0x04, 0x00,
0x00, 0x00, 0x05, 0xA9,
0x08, 0x02, 0x00, 0x00, 0x00,
0x68, 0x1B, 0xF7, 0x46,
0x00, 0x00, 0x00, 0x00,
'I', 'D', 'A', 'T',
0x35, 0xAF, 0x06, 0x1E,
0x00, 0x00, 0x00, 0x00,
'I', 'E', 'N', 'D',
0xAE, 0x42, 0x60, 0x82
};
std::stringstream ss(std::string(corrupt_png.begin(), corrupt_png.end()), std::ios_base::in | std::ios_base::binary);
boost::gil::rgb8_image_t img;
boost::gil::read_image(ss, img, boost::gil::png_tag{});
return 0;
}
Environment
- Compiler version: -
- Build settings: -
- Version (Git ref or
<boost/version.hpp>): latest master 1_71
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 15 (8 by maintainers)
@mloskot, I can have a look at it after November 22. If I won’t come back please ping me.
EDIT: It might take a bit longer, probably after finals are over (around 4th of December).