[krita] [Bug 440035] New: ASAN heap-buffer-overflow detected by writing of raw profile in PNG export.

Mon, 19 Jul 2021 05:41:47 -0700 

https://bugs.kde.org/show_bug.cgi?id=440035

            Bug ID: 440035
           Summary: ASAN heap-buffer-overflow detected by writing of raw
                    profile in PNG export.
           Product: krita
           Version: git master (please specify the git hash!)
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: File formats
          Assignee: krita-bugs-n...@kde.org
          Reporter: griffinval...@gmail.com
  Target Milestone: ---

SUMMARY
Running Krita with asan, go this when trying to save a PNG.

==1726755==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6130001219f1 at pc 0x7f5eaf127a6d bp 0x7f5e75cf4dd0 sp 0x7f5e75cf4578
READ of size 370 at 0x6130001219f1 thread T184 (Thread (pooled))
    #0 0x7f5eaf127a6c  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
    #1 0x7f5ea9f184ab in writeRawProfile
/home/wolthera/krita/src/libs/ui/kis_png_converter.cpp:170
    #2 0x7f5ea9f3076e in KisPNGConverter::buildFile(QIODevice*, QRect const&,
double, double, KisSharedPtr<KisPaintDevice>,
QTypedArrayData<KisSharedPtr<KisAnnotation> >::iterator,
QTypedArrayData<KisSharedPtr<KisAnnotation> >::iterator, KisPNGOptions,
KisMetaData::Store*)
/home/wolthera/krita/src/libs/ui/kis_png_converter.cpp:1251
    #3 0x7f5e7b8bfb1b in KisPNGExport::convert(KisDocument*, QIODevice*,
KisPinnedSharedPtr<KisPropertiesConfiguration>)
/home/wolthera/krita/src/plugins/impex/png/kis_png_export.cc:82
    #4 0x7f5eaaaa6406 in KisImportExportManager::doExportImpl(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>)
/home/wolthera/krita/src/libs/ui/KisImportExportManager.cpp:731
    #5 0x7f5eaaaa7484 in KisImportExportManager::doExport(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool)
/home/wolthera/krita/src/libs/ui/KisImportExportManager.cpp:675
    #6 0x7f5eaaab675d in KisImportExportErrorCode
std::__invoke_impl<KisImportExportErrorCode, KisImportExportErrorCode
(KisImportExportManager::*&)(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool),
KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&,
KisPinnedSharedPtr<KisPropertiesConfiguration>&,
bool&>(std::__invoke_memfun_deref, KisImportExportErrorCode
(KisImportExportManager::*&)(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool),
KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&,
KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&)
/usr/include/c++/9/bits/invoke.h:73
    #7 0x7f5eaaab675d in std::__invoke_result<KisImportExportErrorCode
(KisImportExportManager::*&)(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool),
KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&,
KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&>::type
std::__invoke<KisImportExportErrorCode (KisImportExportManager::*&)(QString
const&, QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool),
KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&,
KisPinnedSharedPtr<KisPropertiesConfiguration>&,
bool&>(KisImportExportErrorCode (KisImportExportManager::*&)(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool),
KisImportExportManager*&, QString&, QSharedPointer<KisImportExportFilter>&,
KisPinnedSharedPtr<KisPropertiesConfiguration>&, bool&)
/usr/include/c++/9/bits/invoke.h:96
    #8 0x7f5eaaab675d in KisImportExportErrorCode
std::_Bind<KisImportExportErrorCode
(KisImportExportManager::*(KisImportExportManager*, QString,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool))(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>,
bool)>::__call<KisImportExportErrorCode, , 0ul, 1ul, 2ul, 3ul,
4ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul>)
/usr/include/c++/9/functional:402
    #9 0x7f5eaaab675d in KisImportExportErrorCode
std::_Bind<KisImportExportErrorCode
(KisImportExportManager::*(KisImportExportManager*, QString,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool))(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool)>::operator()<,
KisImportExportErrorCode>() /usr/include/c++/9/functional:484
    #10 0x7f5eaaab675d in
QtConcurrent::StoredFunctorCall0<KisImportExportErrorCode,
std::_Bind<KisImportExportErrorCode
(KisImportExportManager::*(KisImportExportManager*, QString,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool))(QString const&,
QSharedPointer<KisImportExportFilter>,
KisPinnedSharedPtr<KisPropertiesConfiguration>, bool)> >::runFunctor()
/usr/include/x86_64-linux-gnu/qt5/QtConcurrent/qtconcurrentstoredfunctioncall.h:60
    #11 0x7f5eaaab675d in
QtConcurrent::RunFunctionTask<KisImportExportErrorCode>::run()
/usr/include/x86_64-linux-gnu/qt5/QtConcurrent/qtconcurrentrunbase.h:108
    #12 0x7f5ea35e7151  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xd1151)
    #13 0x7f5ea35e3d4b  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xcdd4b)
    #14 0x7f5ea30fb608 in start_thread
/build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    #15 0x7f5ea3248292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x6130001219f1 is located 0 bytes to the right of 369-byte region
[0x613000121880,0x6130001219f1)
allocated by thread T184 (Thread (pooled)) here:
    #0 0x7f5eaf1cdbc8 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x7f5ea2da22e1 in png_malloc
(/usr/lib/x86_64-linux-gnu/libpng16.so.16+0xc2e1)

Thread T184 (Thread (pooled)) created by T0 here:
    #0 0x7f5eaf0fa805 in pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x7f5ea35e3804 in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xcd804)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c) 
Shadow bytes around the buggy address:
  0x0c268001c2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268001c2f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268001c300: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c268001c310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c268001c320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c268001c330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
  0x0c268001c340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268001c380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1726755==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to