Bug#502350: marked as done (buffer overflow in gqcam)

Thu, 16 Oct 2008 02:36:25 -0700 

Your message dated Thu, 16 Oct 2008 09:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#502350: fixed in gqcam 0.9.1-5
has caused the Debian Bug report #502350,
regarding buffer overflow in gqcam
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
502350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502350
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: gqcam
Version: 0.9.1-4
X-Debbugs-CC: [EMAIL PROTECTED]
Severity: important
Tags: patch

When running gqcam on eeePC 901, the default allocated rawbuffer at gqcam.h:209 
is
too small: it supports maximum of 640x480. The available buffer length is not
checked and this results a segmentation fault almost immeditely.

The info about the camera:

$ dov4l -q
dov4l v0.9, (C) 2003-2006 by [EMAIL PROTECTED]

Canonical name for this interface: CNF7129
Type of interface:
 Can capture to memory

Number of radio/tv channels if appropriate: 1
Number of audio devices if appropriate: 0
Maximum capture width in pixels: 1280
Maximum capture height in pixels: 1024
Minimum capture width in pixels: 48
Minimum capture height in pixels: 32

Image size (x,y): 320, 240

VDIOCGCHAN: Invalid argument

diff -upr gqcam-0.9.1.orig/gqcam.c gqcam-0.9.1/gqcam.c
--- gqcam-0.9.1.orig/gqcam.c	2008-10-15 21:42:48.000000000 +0200
+++ gqcam-0.9.1/gqcam.c	2008-10-15 22:23:01.000000000 +0200
@@ -46,6 +46,8 @@ char version[] = VERSION;
 
 void init_cam(struct Camera *camera)
 {
+  memset(camera, 0, sizeof(*camera));
+
   camera->greyscale = 0;
   camera->pic = NULL;
   camera->picbuff = NULL;
@@ -95,9 +97,15 @@ void get_cam_info(struct Camera *camera)
   int i;
   struct video_clip vid_clips[32];
 
-  ioctl(camera->dev, VIDIOCGCAP, &camera->vid_caps);
-  ioctl(camera->dev, VIDIOCGWIN, &camera->vid_win);
-  ioctl(camera->dev, VIDIOCGPICT, &camera->vid_pic);
+  if (ioctl(camera->dev, VIDIOCGCAP, &camera->vid_caps) == -1) {
+    perror("ioctl(VIDIOCGCAP)");
+  }
+  if (ioctl(camera->dev, VIDIOCGWIN, &camera->vid_win) == -1) {
+    perror("ioctl(VIDIOCGWIN)");
+  }
+  if (ioctl(camera->dev, VIDIOCGPICT, &camera->vid_pic) == -1) {
+    perror("ioctl(VIDIOCGPICT)");
+  }
 
   for (i = 0; i < 32; i++) {
     vid_clips[i].x      = 0;
@@ -267,6 +275,7 @@ void grab_image(struct Camera *camera)
   GdkEventExpose *event;
   int input_type;
   struct ov511_frame temp;
+  size_t read_size;
 
   get_cam_info(camera);
 
@@ -314,13 +323,25 @@ void grab_image(struct Camera *camera)
 
 	  switch(input_type) {
 	  case INPUT_YUV:
-            camera->img_size = read (camera->dev, camera->rawbuffer, camera->vid_caps.maxwidth * camera->vid_caps.maxheight * 3);
+	    read_size = camera->vid_caps.maxwidth * camera->vid_caps.maxheight * 3;
+	    if (sizeof(camera->rawbuffer) < read_size) {
+		fprintf(stderr, "%s:%u: FATAL: rawbuffer too small to store a %ux%u picture and dynamic allocation not supported, yet\n",
+			__FILE__, __LINE__, camera->vid_caps.maxwidth, camera->vid_caps.maxheight);
+		break;
+	    }
+            camera->img_size = read (camera->dev, camera->rawbuffer, read_size);
 	    temp.width  = temp.rawwidth  = camera->vid_caps.maxwidth;
 	    temp.height = temp.rawheight = camera->vid_caps.maxheight;
 	    yuv420p_to_rgb(&temp, camera->rawbuffer, camera->picbuff, 24);
 	    break;
 	  case INPUT_RGB:
-            camera->img_size = read (camera->dev, camera->picbuff, camera->vid_caps.maxwidth * camera->vid_caps.maxheight * 3);
+	    read_size = camera->vid_caps.maxwidth * camera->vid_caps.maxheight * 3;
+	    if (sizeof(camera->rawbuffer) < read_size) {
+		fprintf(stderr, "%s:%u: FATAL: rawbuffer too small to store a %ux%u picture and dynamic allocation not supported, yet\n",
+			__FILE__, __LINE__, camera->vid_caps.maxwidth, camera->vid_caps.maxheight);
+		break;
+	    }
+            camera->img_size = read (camera->dev, camera->picbuff, read_size);
 	    break;
 	  case INPUT_JPEG:
 	    camera->img_size = read (camera->dev, camera->rawbuffer, sizeof(camera->rawbuffer)) - JPEG_HEADER_SIZE; // TODO error management

--- End Message ---
--- Begin Message --- 
Source: gqcam
Source-Version: 0.9.1-5

We believe that the bug you reported is fixed in the latest version of
gqcam, which is due to be installed in the Debian FTP archive:

gqcam_0.9.1-5.diff.gz
  to pool/main/g/gqcam/gqcam_0.9.1-5.diff.gz
gqcam_0.9.1-5.dsc
  to pool/main/g/gqcam/gqcam_0.9.1-5.dsc
gqcam_0.9.1-5_i386.deb
  to pool/main/g/gqcam/gqcam_0.9.1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> (supplier of updated gqcam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 16 Oct 2008 11:00:53 +0200
Source: gqcam
Binary: gqcam
Architecture: source i386
Version: 0.9.1-5
Distribution: unstable
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Changed-By: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Description: 
 gqcam      - GTK Webcam control
Closes: 502350
Changes: 
 gqcam (0.9.1-5) unstable; urgency=low
 .
   * Fix buffer overflow in gqcam.c. (Closes: #502350)
     Thanks Németh Márton for finding out and patch.
   * Updated debian/menu
   * Bumped Standards-Version to 3.8.0
Checksums-Sha1: 
 69fe8542cc8f6f2d97c4797ba317d20811493bca 979 gqcam_0.9.1-5.dsc
 2c39d14e09b9a852b3d16f419403efc268805aff 4897 gqcam_0.9.1-5.diff.gz
 06b172a412bfb9b4f33d0066ed0e9891b688ccab 39138 gqcam_0.9.1-5_i386.deb
Checksums-Sha256: 
 c44b1a3de80939f45b74a9bc73e30baf27debbb2ef75e2c5bda20898588d3d72 979 
gqcam_0.9.1-5.dsc
 f66f57ce4497615f2958081ca76820d635de791edbb81dd8ba952aea8fa0829f 4897 
gqcam_0.9.1-5.diff.gz
 f09766e11056319c77adbc03f207e536097f20ea0fd534ca1a3d923fa03c6384 39138 
gqcam_0.9.1-5_i386.deb
Files: 
 2dd951b7f52c7838f597cf38a28092db 979 graphics optional gqcam_0.9.1-5.dsc
 22b5f163345288770395792d840d2a72 4897 graphics optional gqcam_0.9.1-5.diff.gz
 0cff3b351498e6de2da89c8f29bdfd52 39138 graphics optional gqcam_0.9.1-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj3BWoACgkQxRSvjkukAcMO5QCdFVjNda1d6KUOK8UKw6PCCTMt
VJ0AoLD5bD4y2zmAtdXGbEx7QlW2ixsU
=ITPn
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to