crash in png plugin on huge file
VLC crashes in png plugin, probably because of the huge file.
the file is available on http://people.videolan.org/~xtophe/vlc.png [23M]
the backtrace is available on http://dumpz.org/9996/
Activity
added Component::Decoders Severity::normal Type::bug + 1 deleted label
changed milestone to %1.1 bugs
I'm seeing 2 different crashes, here is one of them:
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffea71c910 (LWP 3893)] memcpy () at ../sysdeps/x86_64/memcpy.S:90 90 ../sysdeps/x86_64/memcpy.S: Aucun fichier ou dossier de ce type. in ../sysdeps/x86_64/memcpy.S Current language: auto The current source language is "auto; currently asm". (gdb) frame 1 [#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x00007ffff63f7390 in user_read (p_png=0x7765b0, data=0x7fffea71b4a0 "дq\352\033", i_length=4) at ../../../vlc/modules/codec/png.c:95 95 memcpy( data, p_block->p_buffer, i_read ); Current language: auto The current source language is "auto; currently c". (gdb) print *p_block $14 = {p_next = 0xffffffffffffffff, i_flags = 4294967295, i_pts = -1, i_dts = -1, i_length = -1, i_nb_samples = 4294967295, i_rate = -1, i_buffer = 18446744073709551615, p_buffer = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, pf_release = 0xffffffffffffffff} (gdb)I didn't spot a memset(png_ptr->io_ptr, -1, X) in libpng, and anyway libpng wouldn't know the size of our io pointer.
assigned to @funman and unassigned @MigrationBot
commit 33f12f75 Author: Rafaël Carré rafael.carre@gmail.com Date: Fri Oct 30 09:36:09 2009 +0100
Fix integer overflow in picture size calculation Closes [#2885](https://code.videolan.org/videolan/vlc/-/issues/2885)Original author: rafael.carre@gmail.com
added Status::fixed label
Please register or sign in to reply