A workaround patch for the following problem is attached On Wednesday 04 September 2013 10:52:08 Raphael Geissert wrote: > On 3 September 2013 17:29, Raphael Geissert <[email protected]> wrote: > > I just took a quick look at the updated packages in wheezy and > > econvert crashes in most of the reproducers. In fact, the crashes can > > not be reproduced consistently. > > The patch seems to be applied, so I'm going to need to take a better > > look at what is going on. > > Based on a few minutes with gdb, it is segfaulting when jumping from > dcraw::lossless_jpeg_load_raw () at codecs/dcraw.h:957 > > And... > (db) print *env > $1 = {__jmpbuf = {0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, > __saved_mask = {__val = {0 <repeats 16 times>}}} > > Checking the code there doesn't seem to be any call to setjmp (except > for the one in dcraw's main()). > > So exactimage is basically jumping to a random location determined by > the odds of the uninitialized variable. Hopefully there doesn't seem > to be a way to manipulate its content.
Description: exactimage: DoS, econvert crashes setjmp must be called before decoding an image using dcraw because it uses longjmp after an error. Author: Sven Eckelmann <[email protected]>
---
diff --git a/codecs/dcraw.cc b/codecs/dcraw.cc
index 4fad376cf099a62497f4261d17db61fb4a513c60..9d21c49528fc2d65a6ef78ad1c8121aa886a453c 100644
--- a/codecs/dcraw.cc
+++ b/codecs/dcraw.cc
@@ -161,7 +161,11 @@ int DCRAWCodec::readImage (std::istream* stream, Image& im, const std::string& d
if (use_camera_matrix < 0)
use_camera_matrix = use_camera_wb;
-
+
+ // TODO: cleanup on failure
+ if (setjmp (failure))
+ return false;
+
identify();
if (!is_raw)
signature.asc
Description: This is a digitally signed message part.
----------------------------------------------------------- If you wish to unsubscribe from this mailing, send mail to [email protected] with a subject of: unsubscribe exact-image
