classification
Title: crashers in rgbimg
Type: crash Stage:
Components: Extension Modules Versions: Python 2.5
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, haypo, loewis, thoger
Priority: normal Keywords:

Created on 2010-05-10 21:24 by brett.cannon, last changed 2011-06-01 06:22 by terry.reedy. This issue is now closed.

Files
File name Uploaded Description Edit
rgbimg-issue8678.tgz thoger, 2010-10-29 17:58 Test cases
Messages (8)
msg105467 - (view) Author: Brett Cannon (brett.cannon) * (Python committer) Date: 2010-05-10 21:23
Red Hat found some crashers in the rgbimg module along with a proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=541698 . Since the patch was sent to the PSRT privately before the bugs were announced, it should be fine to take the patch from the page and apply it.
msg105469 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-05-10 21:44
As a security fix, it probably applies to 2.5 and 2.6 as well.
msg105485 - (view) Author: Tomas Hoger (thoger) Date: 2010-05-11 07:11
According to PEP-0004, affected module was deprecated in 2.5 and is no longer part of 2.6 and later.  Hence 2.5 only, not sure if that version is still actively supported upstream.
msg105532 - (view) Author: Brett Cannon (brett.cannon) * (Python committer) Date: 2010-05-11 18:21
Because it's a crasher it could still be patched if someone chose to do the work.
msg105619 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2010-05-13 00:59
See also #7673 (other crashers).
msg105624 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-05-13 07:13
haypo: what's the relationship?
msg115536 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2010-09-03 23:02
I am able to reproduce the crash with z > 4:

# (magic, type (rle, bpp), dim, x, y, z)
open('image', 'wb').write(struct.pack('>hhhhhh', 0732, 1, 1, 1, 1, 10))
rgbimg.longimagedata('image')

--

But not the "xsize = ysize = 0x8000" integer overflow. longimagedata() begins by checking that xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow:

	tablen = xsize * ysize * zsize * sizeof(Py_Int32);
        if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
		PyErr_NoMemory();
		goto finally;
        }

If xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow, there is no reason that xsize * ysize * sizeof(Py_Int32) does overflow.

--

I am too tired to check the two RLE bugs.
msg119920 - (view) Author: Tomas Hoger (thoger) Date: 2010-10-29 17:58
You seem to be right that r65878 should block the "xsize = ysize = 0x8000" integer overflow.  I was testing on the python version with r60793, but not with r65878.  Note that the check added in r65878 should still cause crash on divide-by-zero for some files.

Attaching my test files. 1 is for excessive ZSIZE, 2 and 3 for the integer overflow, RLE and non-RLE code path, 4 and 5 for RLE decoding issues.  6 should trigger sigfpe in the r65878 check as noted above, but I've not really tested that one.
History
Date User Action Args
2011-06-01 06:22:43terry.reedysetstatus: open -> closed
resolution: out of date
2010-10-29 19:17:41brett.cannonsetnosy: - brett.cannon
2010-10-29 17:58:54thogersetfiles: + rgbimg-issue8678.tgz

messages: + msg119920
2010-09-03 23:02:11hayposetmessages: + msg115536
2010-09-03 22:03:04Arfreversetnosy: + Arfrever
2010-05-13 07:13:57loewissetmessages: + msg105624
2010-05-13 00:59:52hayposetnosy: + haypo
messages: + msg105619
2010-05-11 18:21:51brett.cannonsetmessages: + msg105532
components: + Extension Modules
2010-05-11 07:11:31thogersetnosy: + thoger

messages: + msg105485
versions: - Python 2.6, Python 2.7
2010-05-10 21:44:19loewissetnosy: + loewis

messages: + msg105469
versions: + Python 2.6, Python 2.5
2010-05-10 21:24:00brett.cannoncreate