Bug 830801 - pnmtopclxl is aborted when converting pbm file
pnmtopclxl is aborted when converting pbm file
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: netpbm (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Jindrich Novy
BaseOS QE - Apps
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-11 08:52 EDT by Iveta Wiedermann
Modified: 2013-07-02 19:56 EDT (History)
1 user (show)

See Also:
Fixed In Version: netpbm-10.58.01-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-15 10:03:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File to convert (1.28 KB, image/x-portable-bitmap)
2012-06-11 08:52 EDT, Iveta Wiedermann
no flags Details

  None (edit)
Description Iveta Wiedermann 2012-06-11 08:52:57 EDT
Created attachment 590922 [details]
File to convert

Description of problem:
when running pnmtopclxl on test.pbm, it gets aborted

# pnmtopclxl <test.pbm
%-12345X@PJL ENTER LANGUAGE=PCLXL
) HP-PCL XL;1;1;Generated by Netpbm Pnmtopclxl
�,,�������������Hpnmtopclxl: Processing File 1, Page 1
��(��%C��j��Lk��d��b�d�l�d�k�dd�g���m��c��e�������������������������]����������n���������Z����������t�]]�����j�UW�����������ڪ>������	�J�j˷������
�ꪫUU��������
���mZ��������
�%$���U^������
�R��UV��������
ʤI$��կ�����
ԕ$�I�US������
�)UIVKZ�����
            ��RD�R�UV�����
                          ��H�$�J���������m��c��e�*** glibc detected *** pnmtopclxl: free(): invalid next size (normal): 0x0000000001ebb580 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3c2a87c80e]
pnmtopclxl[0x4023f9]
pnmtopclxl[0x4017de]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3c2a821735]
pnmtopclxl[0x401a5d]
======= Memory map: ========
00400000-00403000 r-xp 00000000 fd:01 1472221                            /usr/bin/pnmtopclxl
00603000-00604000 rw-p 00003000 fd:01 1472221                            /usr/bin/pnmtopclxl
01eba000-01edc000 rw-p 00000000 00:00 0                                  [heap]
3c2a400000-3c2a420000 r-xp 00000000 fd:01 1443060                        /usr/lib64/ld-2.15.so
3c2a61f000-3c2a620000 r--p 0001f000 fd:01 1443060                        /usr/lib64/ld-2.15.so
3c2a620000-3c2a621000 rw-p 00020000 fd:01 1443060                        /usr/lib64/ld-2.15.so
3c2a621000-3c2a622000 rw-p 00000000 00:00 0 
3c2a800000-3c2a9ac000 r-xp 00000000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2a9ac000-3c2abac000 ---p 001ac000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2abac000-3c2abb0000 r--p 001ac000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2abb0000-3c2abb2000 rw-p 001b0000 fd:01 1465706                        /usr/lib64/libc-2.15.so
3c2abb2000-3c2abb7000 rw-p 00000000 00:00 0 
3c2bc00000-3c2bcfa000 r-xp 00000000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2bcfa000-3c2bef9000 ---p 000fa000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2bef9000-3c2befa000 r--p 000f9000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2befa000-3c2befb000 rw-p 000fa000 fd:01 1465712                        /usr/lib64/libm-2.15.so
3c2d800000-3c2d815000 r-xp 00000000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
3c2d815000-3c2da14000 ---p 00015000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
3c2da14000-3c2da15000 r--p 00014000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
3c2da15000-3c2da16000 rw-p 00015000 fd:01 1469192                        /usr/lib64/libgcc_s-4.7.0-20120507.so.1
7ffb97f82000-7ffb97f85000 rw-p 00000000 00:00 0 
7ffb97f85000-7ffb97fbb000 r-xp 00000000 fd:01 1471981                    /usr/lib64/libnetpbm.so.11.57
7ffb97fbb000-7ffb981bb000 ---p 00036000 fd:01 1471981                    /usr/lib64/libnetpbm.so.11.57
7ffb981bb000-7ffb981bf000 rw-p 00036000 fd:01 1471981                    /usr/lib64/libnetpbm.so.11.57
7ffb981ce000-7ffb981d1000 rw-p 00000000 00:00 0 
7fffc0075000-7fffc0096000 rw-p 00000000 00:00 0                          [stack]
7fffc0147000-7fffc0148000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)


Version-Release number of selected component (if applicable):
netpbm-progs-10.57.01-1.el7

How reproducible:
100%

Steps to Reproduce:
1. pnmtopclxl <test.pbm
2.
3.
  
Actual results:
Prints backtrace and is aborted

Expected results:
Converts file

Additional info:
Comment 2 Jindrich Novy 2012-06-13 10:50:32 EDT
It is caused by a stupid thinko of pnmtopclxl author:

        rleP->fbuf = malloc(size);

        if (rleP->fbuf) {
            rleP->fbufsize = MAX(1024, size);
            retval = rleP;

what triggers memory corruption if size is lesser than 1024. Patch is applied in rawhide netpbm-10.58.01-3.
Comment 3 Jindrich Novy 2012-06-15 10:03:56 EDT
netpbm-10.58.01 with fix for this issue has been imported to RHEL-7.

Note You need to log in before you can comment on or make changes to this bug.