Bug 1652622 - There is an illegal READ memory access at caca/dither.c:1347 (function:get_rgba_default )in libcaca latest version.
Summary: There is an illegal READ memory access at caca/dither.c:1347 (function:get_rg...
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: libcaca   
(Show other bugs)
Version: rawhide
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Matthias Saou
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-22 13:27 UTC by shuitao gan
Modified: 2018-12-29 14:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
./img2txt POC1 (86 bytes, image/bmp)
2018-11-22 13:27 UTC, shuitao gan
no flags Details

Description shuitao gan 2018-11-22 13:27:49 UTC
Created attachment 1507951 [details]
./img2txt POC1

version: libcaca0.99beta19
Summary: 

There is an illegal READ memory access at caca/dither.c:1347 (function:get_rgba_default )in libcaca latest version.

Description:

The asan debug is as follows:

$./img2txt POC1

=================================================================
==28249==ERROR: AddressSanitizer: SEGV on unknown address 0x7f88ae6a7004 (pc 0x7f88b2b37857 bp 0x000000000042 sp 0x7ffe82454ed0 T0)
==28249==The signal is caused by a READ memory access.
    #0 0x7f88b2b37856 in get_rgba_default /home/company/real/libcaca-master/caca/dither.c:1347
    #1 0x7f88b2b3aa16 in caca_dither_bitmap /home/company/real/libcaca-master/caca/dither.c:1009
    #2 0x55688cdba96e in main /home/company/real/libcaca-master/src/img2txt.c:210
    #3 0x7f88b27581c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #4 0x55688cdbaf09 in _start (/home/company/real/libcaca-master/install_asan/bin/img2txt+0x2f09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/company/real/libcaca-master/caca/dither.c:1347 in get_rgba_default
==28249==ABORTING






 static void get_rgba_default(caca_dither_t const *d, uint8_t const *pixels,
1313                              int x, int y, unsigned int *rgba)
1314 {
1315     uint32_t bits;
1316 
1317     pixels += (d->bpp / 8) * x + d->pitch * y;
1318 
1319     switch(d->bpp / 8)
1320     {
1321         case 4:
1322             bits = *(uint32_t const *)pixels;
1323             break;
1324         case 3:
1325         {
1326 #if defined(HAVE_ENDIAN_H)
1327             if(__BYTE_ORDER == __BIG_ENDIAN)
1328 #else
1329             /* This is compile-time optimised with at least -O1 or -Os */
1330             uint32_t const tmp = 0x12345678;
1331             if(*(uint8_t const *)&tmp == 0x12)
1332 #endif
1333                 bits = ((uint32_t)pixels[0] << 16) |
1334                        ((uint32_t)pixels[1] << 8) |
1335                        ((uint32_t)pixels[2]);
1336             else
1337                 bits = ((uint32_t)pixels[2] << 16) |   //illegal READ memory access
1338                        ((uint32_t)pixels[1] << 8) |
1339                        ((uint32_t)pixels[0]);
1340             break;
1341         }
1342         case 2:
1343             bits = *(uint16_t const *)pixels;
1344             break;
1345         case 1:
1346         default:
1347             bits = pixels[0];    // illegal READ memory access
1348             break;
1349     }
1350 
1351     if(d->has_palette)

Comment 1 Leonardo Taccari 2018-12-28 22:38:58 UTC
Hello shuitao!
was this reported upstream?  If not, can you please share this problem also with them?


Thank you!

Comment 2 Henri Salo 2018-12-29 03:28:39 UTC
Reported to upstream https://github.com/cacalabs/libcaca/issues/38

Comment 3 Leonardo Taccari 2018-12-29 14:19:48 UTC
Thank you very much Henri!


Note You need to log in before you can comment on or make changes to this bug.