Project

General

Profile

Bug #10505

heap-buffer-overflow in dt_gradient_events_post_expose

Added by Roman Lebedev over 4 years ago. Updated over 4 years ago.

Status:
Fixed
Priority:
Medium
Category:
Masks
Target version:
-
Start date:
05/31/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
git development version
System:
all
bitness:
64-bit
hardware architecture:
amd64/x86

Description

Compile options: cd ~/darktable/build/ && rm -rf * && LDFLAGS="-fsanitize=address -fno-omit-frame-pointer" CFLAGS="-fsanitize=address -fno-omit-frame-pointer -O2 -fstack-protector-strong " CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -O2 -fstack-protector-strong " CC=gcc CXX=g++ cmake -DUSE_OPENCL=OFF ../ && make -j9 && sudo make -j9 install && darktable

Create gradient mask, start scrolling it, and:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6220015c4608 at pc 0x7f83d7b031ea bp 0x7ffdbcf22470 sp 0x7ffdbcf22468
READ of size 4 at 0x6220015c4608 thread T0
[dev_pixelpipe] module `exposure' min: (0.000000; 0.000000; 0.000000) max: (0.361923; 0.357099; 0.357908) [preview]
[dev_pixelpipe] module `exposure' min: (-0.000000; -0.000000; -0.000000) max: (0.360868; 0.358229; 0.361072) [full]
#0 0x7f83d7b031e9 in dt_gradient_events_post_expose /home/lebedevri/darktable/src/develop/masks/gradient.c:447
#1 0x7f83d7b0af09 in dt_group_events_post_expose /home/lebedevri/darktable/src/develop/masks/group.c:238
#2 0x7f83d7b10975 in dt_masks_events_post_expose /home/lebedevri/darktable/src/develop/masks/masks.c:1289
#3 0x7f83af78993d in expose /home/lebedevri/darktable/src/views/darkroom.c:384
#4 0x7f83d7bb0fdc in dt_view_manager_expose /home/lebedevri/darktable/src/views/view.c:461
#5 0x7f83d7a27a13 in dt_control_expose /home/lebedevri/darktable/src/control/control.c:497
#6 0x7f83d7b56e17 in draw /home/lebedevri/darktable/src/gui/gtk.c:450
..
#72 0x7f83d53e1b4c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49b4c)
#73 0x7f83d53e1f1f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49f1f)
#74 0x7f83d53e2241 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a241)
#75 0x7f83d718bbf4 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ebbf4)
#76 0x7f83d7b61437 in dt_gui_gtk_run /home/lebedevri/darktable/src/gui/gtk.c:964
#77 0x400cd3 in main /home/lebedevri/darktable/src/main.c:25
#78 0x7f83d01c9b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#79 0x400bb8 (/usr/local/bin/darktable+0x400bb8)

0x6220015c4608 is located 0 bytes to the right of 5384-byte region [0x6220015c3100,0x6220015c4608)
allocated by thread T0 here:
#0 0x7f83d804c74f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5474f)
#1 0x7f83d7aeb03b in dt_gradient_get_points_border /home/lebedevri/darktable/src/develop/masks/gradient.c:717
#2 0x7f83d7b07269 in dt_masks_get_points_border /home/lebedevri/darktable/src/develop/masks/masks.c:366
#3 0x7f83d7b0775f in dt_masks_gui_form_create /home/lebedevri/darktable/src/develop/masks/masks.c:94
#4 0x7f83d7b1f8ca in dt_gradient_events_mouse_scrolled /home/lebedevri/darktable/src/develop/masks/gradient.c:107
#5 0x7f83d7b32c85 in dt_group_events_mouse_scrolled /home/lebedevri/darktable/src/develop/masks/group.c:41
#6 0x7f83d7b33006 in dt_masks_events_mouse_scrolled /home/lebedevri/darktable/src/develop/masks/masks.c:1236
#7 0x7f83af791bbd in scrolled /home/lebedevri/darktable/src/views/darkroom.c:1571
#8 0x7f83d7bb1ee7 in dt_view_manager_scrolled /home/lebedevri/darktable/src/views/view.c:623
#9 0x7f83d7b56878 in scrolled /home/lebedevri/darktable/src/gui/gtk.c:474
#10 0x7f83d718d41d (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ed41d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lebedevri/darktable/src/develop/masks/gradient.c:447 dt_gradient_events_post_expose
Shadow bytes around the buggy address:
0x0c44802b0870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c44802b0880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c44802b0890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c44802b08a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c44802b08b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c44802b08c0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c44802b08d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c44802b08e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c44802b08f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c44802b0900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c44802b0910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe

History

#1 Updated by Ulrich Pegelow over 4 years ago

I still have gcc 4.8 installed which does not understand -fstack-protector-strong.

Could you please try the following for me?

Replace in develop/masks/gradient.c:447

if(isinf(border[count * 2])) count++;

by

if(count < border_count && isinf(border[count * 2])) count++;

#2 Updated by Roman Lebedev over 4 years ago

Ulrich Pegelow wrote:

I still have gcc 4.8 installed which does not understand -fstack-protector-strong.

That one is not really needed, it will work without it, but i keep it there just to be safe.

Could you please try the following for me?

Replace in develop/masks/gradient.c:447

if(isinf(border[count * 2])) count++;

by

if(count < border_count && isinf(border[count * 2])) count++;

Yep, can not reproduce with this patch applied.

#3 Updated by Ulrich Pegelow over 4 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Fixed

fixed in master

Also available in: Atom PDF

Go to top