Bug 830801

Summary: pnmtopclxl is aborted when converting pbm file
Product: Red Hat Enterprise Linux 7 Reporter: Iveta Wiedermann <isenfeld>
Component: netpbmAssignee: Jindrich Novy <jnovy>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: pknirsch
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: netpbm-10.58.01-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-15 14:03:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File to convert none

Description Iveta Wiedermann 2012-06-11 12:52:57 UTC 
Created attachment 590922 [details]
File to convert

Description of problem:
when running pnmtopclxl on test.pbm, it gets aborted

# pnmtopclxl <test.pbm
%-12345X@PJL ENTER LANGUAGE=PCLXL
) HP-PCL XL;1;1;Generated by Netpbm Pnmtopclxl
�,,�������������Hpnmtopclxl: Processing File 1, Page 1
��(��%C��j��Lk��d��b�d�l�d�k�dd�g���m��c��e�������������������������]����������n���������Z����������t�]]�����j�UW�����������ڪ>������	�J�j˷������
�ꪫUU��������
���mZ��������
�%$���U^������
�R��UV��������
ʤI$��կ�����
ԕ$�I�US������
�)UIVKZ�����
            ��RD�R�UV�����
                          ��H�$�J���������m��c��e�*** glibc detected *** pnmtopclxl: free(): invalid next size (normal): 0x0000000001ebb580 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3c2a87c80e]
pnmtopclxl[0x4023f9]
pnmtopclxl[0x4017de]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3c2a821735]
pnmtopclxl[0x401a5d]
======= Memory map: ========
00400000-00403000 r-xp 00000000 fd:01 1472221                            /usr/bin/pnmtopclxl
00603000-00604000 rw-p 00003000 fd:01 1472221                            /usr/bin/pnmtopclxl
01eba000-01edc000 rw-p 00000000 00:00 0                                  [heap]
3c2a400000-3c2a420000 r-xp 00000000 fd:01 1443060                        /usr/lib64/ld-2.15.so
3c2a61f000-3c2a620000 r--p 0001f000 fd:01 1443060                        /usr/lib64/ld-2.15.so
3c2a620000-3c2a621000 rw-p 00020000 fd:01 1443060                        /usr/lib64/ld-2.15.so
3c2a621000-3c2a622000 rw-p 00000000 00:00 0 
3c2a800000-3c2a9ac000 r-xp 00000000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2a9ac000-3c2abac000 ---p 001ac000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2abac000-3c2abb0000 r--p 001ac000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2abb0000-3c2abb2000 rw-p 001b0000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2abb2000-3c2abb7000 rw-p 00000000 00:00 0 
3c2bc00000-3c2bcfa000 r-xp 00000000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2bcfa000-3c2bef9000 ---p 000fa000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2bef9000-3c2befa000 r--p 000f9000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2befa000-3c2befb000 rw-p 000fa000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2d800000-3c2d815000 r-xp 00000000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
3c2d815000-3c2da14000 ---p 00015000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
3c2da14000-3c2da15000 r--p 00014000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
3c2da15000-3c2da16000 rw-p 00015000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
7ffb97f82000-7ffb97f85000 rw-p 00000000 00:00 0 
7ffb97f85000-7ffb97fbb000 r-xp 00000000 fd:01 1471981                    /usr/lib64/libnetpbm.so.11.57
7ffb97fbb000-7ffb981bb000 ---p 00036000 fd:01 1471981                    /usr/lib64/libnetpbm.so.11.57
7ffb981bb000-7ffb981bf000 rw-p 00036000 fd:01 1471981                    /usr/lib64/libnetpbm.so.11.57
7ffb981ce000-7ffb981d1000 rw-p 00000000 00:00 0 
7fffc0075000-7fffc0096000 rw-p 00000000 00:00 0                          [stack]
7fffc0147000-7fffc0148000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)


Version-Release number of selected component (if applicable):
netpbm-progs-10.57.01-1.el7

How reproducible:
100%

Steps to Reproduce:
1. pnmtopclxl <test.pbm
2.
3.
  
Actual results:
Prints backtrace and is aborted

Expected results:
Converts file

Additional info:
Comment 2 Jindrich Novy 2012-06-13 14:50:32 UTC 
It is caused by a stupid thinko of pnmtopclxl author:

        rleP->fbuf = malloc(size);

        if (rleP->fbuf) {
            rleP->fbufsize = MAX(1024, size);
            retval = rleP;

what triggers memory corruption if size is lesser than 1024. Patch is applied in rawhide netpbm-10.58.01-3.
Comment 3 Jindrich Novy 2012-06-15 14:03:56 UTC 
netpbm-10.58.01 with fix for this issue has been imported to RHEL-7.