Bug 157110 - bmptopnm does not convert valid bitmaps -- reports error instead and segfaults
bmptopnm does not convert valid bitmaps -- reports error instead and segfaults
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: netpbm (Show other bugs)
4
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Jindrich Novy
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-06 17:45 EDT by David Costanzo
Modified: 2013-07-02 19:07 EDT (History)
1 user (show)

See Also:
Fixed In Version: 10.27-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-09 06:27:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
24bpp-320x240.bmp -- a valid bitmap (225.05 KB, image/bmp)
2005-05-06 17:46 EDT, David Costanzo
no flags Details
Proposed fix (737 bytes, patch)
2005-05-06 18:01 EDT, David Costanzo
no flags Details | Diff

  None (edit)
Description David Costanzo 2005-05-06 17:45:08 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.7.7-2

Description of problem:
bmptopnm does not convert valid bitmaps.  Instead, it reports that the header is bogus.


Version-Release number of selected component (if applicable):
netpbm-progs-10.27-1

How reproducible:
Always

Steps to Reproduce:
1. Execute "bmptopnm 24bpp-320x240.bmp"
  

Actual Results:  bmptopnm prints out:

  bmptopnm: Standard Input: unknown Info Header size: 0 bytes

Expected Results:  bmptopnm outputs the bitmap as a pnm file to stdout.  (At least, I think *think* that's what should happen.  I'm new to this toolkit).

Additional info:

I have given this a High severity, even though it's not a crash, memory leak, or loss of data, because it makes the program is useless.
Comment 1 David Costanzo 2005-05-06 17:46:41 EDT
Created attachment 114103 [details]
24bpp-320x240.bmp -- a valid bitmap

This is the bitmap that I used to reproduce the bug.  Any valid bitmap should
do.
Comment 2 David Costanzo 2005-05-06 18:01:28 EDT
Created attachment 114106 [details]
Proposed fix

The problem is more severe than I thought.  The bug is in pm_readlittleshort()
and pm_readlittlelong(), which are called by many other programs within the
toolkit (not just bmptopbm).  The bug is that pm_readlittlelong() only called
getch() twice and pm_readlittleshort() only called getch() once.

I checked that similar bugs are NOT present in the big-endian version of these
functions.
Comment 3 Jindrich Novy 2005-05-09 04:36:27 EDT
Hello David,

the high severity is pretty suitable for this as bmptopnm doesn't work at all in
certain cases. I found a memory corruption in the code where it segfaults
because bmptopnm uses uinitialized pointer for colormaps what it tries to free()
at the end in case BMPheader.cmapsize == 0.
Comment 4 Jindrich Novy 2005-05-09 06:27:24 EDT
Fixed & rebuilt.

Note You need to log in before you can comment on or make changes to this bug.