Bug#308981: marked as done (libgd2-xpm: infinite loop on invalid .gif buffer)

Wed, 07 Dec 2005 19:48:07 -0800 

Your message dated Wed, 07 Dec 2005 19:32:08 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#308981: fixed in libgd2 2.0.33-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 13 May 2005 15:46:55 +0000
>From [EMAIL PROTECTED] Fri May 13 08:46:55 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mx.meyering.net [82.230.74.64] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DWcNL-0007FI-00; Fri, 13 May 2005 08:46:55 -0700
Received: by mx.meyering.net (Acme Bit-Twister, from userid 1002)
        id F27D6472A; Fri, 13 May 2005 17:46:23 +0200 (CEST)
From: Jim Meyering <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libgd2-xpm: infinite loop on invalid .gif buffer
Date: Fri, 13 May 2005 17:46:23 +0200
Message-ID: <[EMAIL PROTECTED]>
Lines: 96
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: libgd2-xpm
Version: 2.0.33-2
Severity: normal
Tags: patch

Given a truncated GIF *buffer*, gd-2.0.33's gdImageCreateFromGifPtr
function gets stuck in an infinite loop.
Note that gdImageCreateFromGif does not have this problem.

Here's a simple program to illustrate the bug:
-----------------
#include <stdio.h>
#include <stdlib.h>
#include <gd.h>
int
main()
{
  char buf[40000];
  int len = fread (buf, 1, sizeof buf, stdin);
  gdImageCreateFromGifPtr (len, buf);
  exit (0);
}
-----------------

Any .gif file will do as input.
Just remove a few bytes from the end (removing 2 is often enough).
For example, create a 1x1 GIF and output all but the last two bytes:

  perl -MGD -e 'print substr(new GD::Image(1,1)->gif,0,-2)' > gd-infloop.gif

Then compile and run the C program:

  # Compile it:
  $ gcc -O -W -Wall k.c -lgd

  # Demonstrate that it hangs;  interrupt after a few seconds:
  $ time ./a.out < gd-infloop.gif
  Command terminated by signal 2
  4.96user 0.00system 0:05.05elapsed 98%CPU (0avgtext+0avgdata 0maxresident)k
  0inputs+0outputs (0major+288minor)pagefaults 0swaps

  # Using the fixed library, it terminates right away:
  $ time env LD_LIBRARY_PATH=/var/tmp/gd/lib ./a.out < gd-infloop.gif
  0.00user 0.00system 0:00.01elapsed 90%CPU (0avgtext+0avgdata 0maxresident)k
  0inputs+0outputs (0major+383minor)pagefaults 0swaps

===================
You can demonstrate the infinite loop with a perl/GD one-liner, too.
This hangs:

  perl -MGD -e 'my $d = `cat gd-infloop.gif`; GD::Image->new($d) or die'

But with the patched library, it works fine:

  LD_LIBRARY_PATH=/var/tmp/gd/lib \
    perl -MGD -e 'my $d = `cat gd-infloop.gif`; GD::Image->new($d) or die'


================================
Here's the patch I'm using:
[don't treat a negative return value from gdGetBuf as `ok']

--- gd_gif_in.c.~1~     2005-04-24 01:04:05.624546171 +0200
+++ gd_gif_in.c 2005-04-20 18:55:47.975056540 +0200
@@ -43,7 +43,7 @@ static int set_verbose(void)
 #define LOCALCOLORMAP  0x80
 #define BitSet(byte, bit)      (((byte) & (bit)) == (bit))
 
-#define        ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) != 0)
+#define        ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) >= 0)
 
 #define LM_to_uint(a,b)                        (((b)<<8)|(a))
 


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.8
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libgd2-xpm depends on:
ii  libc6                2.3.2.ds1-22        GNU C Library: Shared libraries an
ii  libfontconfig1       2.3.2-1             generic font configuration library
ii  libfreetype6         2.1.7-2.4           FreeType 2 font engine, shared lib
ii  libjpeg62            6b-10               The Independent JPEG Group's JPEG
ii  libpng12-0           1.2.8rel-1          PNG library - runtime
ii  libx11-6             4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii  libxpm4              4.3.0.dfsg.1-12.0.1 X pixmap library
ii  xlibs                4.3.0.dfsg.1-12     X Keyboard Extension (XKB) configu
ii  zlib1g               1:1.2.2-4           compression library - runtime

-- no debconf information

---------------------------------------
Received: (at 308981-close) by bugs.debian.org; 8 Dec 2005 03:41:21 +0000
>From [EMAIL PROTECTED] Wed Dec 07 19:41:21 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
        id 1EkCVs-00021H-SZ; Wed, 07 Dec 2005 19:32:08 -0800
From: Jonas Smedegaard <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.60 $
Subject: Bug#308981: fixed in libgd2 2.0.33-3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 07 Dec 2005 19:32:08 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3

Source: libgd2
Source-Version: 2.0.33-3

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:

libgd-tools_2.0.33-3_powerpc.deb
  to pool/main/libg/libgd2/libgd-tools_2.0.33-3_powerpc.deb
libgd2-noxpm-dev_2.0.33-3_powerpc.deb
  to pool/main/libg/libgd2/libgd2-noxpm-dev_2.0.33-3_powerpc.deb
libgd2-noxpm_2.0.33-3_powerpc.deb
  to pool/main/libg/libgd2/libgd2-noxpm_2.0.33-3_powerpc.deb
libgd2-xpm-dev_2.0.33-3_powerpc.deb
  to pool/main/libg/libgd2/libgd2-xpm-dev_2.0.33-3_powerpc.deb
libgd2-xpm_2.0.33-3_powerpc.deb
  to pool/main/libg/libgd2/libgd2-xpm_2.0.33-3_powerpc.deb
libgd2_2.0.33-3.diff.gz
  to pool/main/libg/libgd2/libgd2_2.0.33-3.diff.gz
libgd2_2.0.33-3.dsc
  to pool/main/libg/libgd2/libgd2_2.0.33-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  8 Dec 2005 02:29:44 +0100
Source: libgd2
Binary: libgd2-noxpm-dev libgd2-noxpm libgd2-xpm libgd2-xpm-dev libgd-tools
Architecture: source powerpc
Version: 2.0.33-3
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description: 
 libgd-tools - GD command line tools and example code
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 308981 312500 322044
Changes: 
 libgd2 (2.0.33-3) unstable; urgency=low
 .
   * Update debian/rules only if DEB_BUILD_OPTIONS contains "update".
   * Auto-update debian/rules (and manually strip bogus build-dependency
     on build-essential).
   * Upgrade watch file to version 3.
   * Standards version 3.6.2.
   * Mention homepage (not website) on long descriptions.
   * Add new local cdbs snippet copyright-check.mk.
   * Update debian/copyright with differing (but still DFSG-free)
     licensing of gd_gif_out.c (thanks to copyright-check.mk).
   * Update TODO with a bunch of entries to the "packaging hall of shame"
     (list of packages without -noxpm support).
   * Add patch to not treat negative return values from buffer routines
     as ok. Closes: bug#308981, #312500 (both thanks to Jim Meyering
     <[EMAIL PROTECTED]>).
   * Dropped old transitional packages libgd2 and libgd2-dev. Closes:
     bug#322044 (thanks to Javier Fernández-Sanguino Peña
     <[EMAIL PROTECTED]>).
Files: 
 34596cbef1cba21c0621f9c63a931719 938 libs optional libgd2_2.0.33-3.dsc
 cec544fd9bb23c2ae3bf70d02dd835df 257323 libs optional libgd2_2.0.33-3.diff.gz
 9432d394be7eae5b46d1c139a4371dec 151048 graphics optional 
libgd-tools_2.0.33-3_powerpc.deb
 5eebd5a8df2a3e632eaa9c093bc66f55 343502 libdevel optional 
libgd2-xpm-dev_2.0.33-3_powerpc.deb
 c6d790518099207031322d59b7142a18 340696 libdevel optional 
libgd2-noxpm-dev_2.0.33-3_powerpc.deb
 40bad3093af3b64a45889bee290969f1 201102 libs optional 
libgd2-xpm_2.0.33-3_powerpc.deb
 47b810fd54fe14881a421cf6ae9ba8e4 198844 libs optional 
libgd2-noxpm_2.0.33-3_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDl6aan7DbMsAkQLgRAkY2AJ0dUFneTNWYEgi3X7Jlw99A6q0OIwCfTbCO
B0HOAcsdQ0zQ1o1kUIBDrOw=
=6FcW
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to