Project

General

Profile

Bug #11350

darktable-chart stack-buffer-overflow

Added by Roman Lebedev over 2 years ago. Updated over 2 years ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
General
Target version:
Start date:
12/07/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
git master branch
System:
Debian
bitness:
64-bit
hardware architecture:
amd64/x86

Description

black_white_example.tar.xz

  1. in first tab, load raw.pfm and it8
  2. in process, set "patches with " to first option.
  3. click process
$ /opt/darktable/bin/darktable-chart 

(darktable-chart:31633): Pango-CRITICAL **: pango_layout_get_cursor_pos: assertion 'index >= 0 && index <= layout->length' failed

(darktable-chart:31633): Pango-CRITICAL **: pango_layout_get_cursor_pos: assertion 'index >= 0 && index <= layout->length' failed

(darktable-chart:31633): Pango-CRITICAL **: pango_layout_get_cursor_pos: assertion 'index >= 0 && index <= layout->length' failed

(darktable-chart:31633): Gdk-CRITICAL **: gdk_window_get_window_type: assertion 'GDK_IS_WINDOW (window)' failed
unknown keyword `PF'
error parsing CHT file, (parse_cht:482)
cht `/tmp/black_white_example/it8.cht' done
error loading IT8 file `/tmp/black_white_example/it8.cht'
error loading IT8 file `/tmp/black_white_example/it8.cht'
error loading IT8 file `/tmp/black_white_example/it8.cht'

(darktable-chart:31633): Gdk-CRITICAL **: gdk_window_get_window_type: assertion 'GDK_IS_WINDOW (window)' failed
=================================================================
==31633==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd9a19b2e8 at pc 0x556d2282ca3e bp 0x7ffd9a199f20 sp 0x7ffd9a199f18
WRITE of size 8 at 0x7ffd9a19b2e8 thread T0
    #0 0x556d2282ca3d in tonecurve_create /home/lebedevri/darktable/src/chart/tonecurve.c:33
    #1 0x556d2281b4f2 in process_data /home/lebedevri/darktable/src/chart/main.c:878
    #2 0x556d2282231a in process_button_clicked_callback /home/lebedevri/darktable/src/chart/main.c:983
    #3 0x7fb998b9e1a3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101a3)
    #4 0x7fb998bb88bc in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8bc)
    #5 0x7fb998bb8fae in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2afae)
    #6 0x7fb99a37ac1c  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x12cc1c)
    #7 0x7fb99a37ac84  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x12cc84)
    #8 0x7fb998b9e1a3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101a3)
    #9 0x7fb998bb88bc in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8bc)
    #10 0x7fb998bb8fae in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2afae)
    #11 0x7fb99a37907f  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x12b07f)
    #12 0x7fb98dd9c037 in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x6037)
    #13 0x7fb98dd9ba99 in ffi_call (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5a99)
    #14 0x7fb998b9ec89 in g_cclosure_marshal_generic_va (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10c89)
    #15 0x7fb998b9e1a3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101a3)
    #16 0x7fb998bb88bc in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8bc)
    #17 0x7fb998bb8fae in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2afae)
    #18 0x7fb99a4348f0  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1e68f0)
    #19 0x7fb998ba0d26 in g_cclosure_marshal_VOID__BOXEDv (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x12d26)
    #20 0x7fb998b9e1a3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101a3)
    #21 0x7fb998bb88bc in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8bc)
    #22 0x7fb998bb8fae in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2afae)
    #23 0x7fb99a431bbd  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1e3bbd)
    #24 0x7fb99a4331ea  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1e51ea)
    #25 0x7fb99a435e6c  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1e7e6c)
    #26 0x7fb99a40330d in gtk_event_controller_handle_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1b530d)
    #27 0x7fb99a5c7e1a  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x379e1a)
    #28 0x7fb99a47d970  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x22f970)
    #29 0x7fb998b9e1a3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101a3)
    #30 0x7fb998bb8390 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a390)
    #31 0x7fb998bb8fae in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2afae)
    #32 0x7fb99a5ca0bb  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x37c0bb)
    #33 0x7fb99a47a92d  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x22c92d)
    #34 0x7fb99a47c9bd in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x22e9bd)
    #35 0x7fb999f8cbf4  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x36bf4)
    #36 0x7fb999fbdba1  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x67ba1)
    #37 0x7fb9988c07f6 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a7f6)
    #38 0x7fb9988c0a5f  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4aa5f)
    #39 0x7fb9988c0d81 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4ad81)
    #40 0x7fb99a47bb24 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x22db24)
    #41 0x556d22819dbd in main_gui /home/lebedevri/darktable/src/chart/main.c:1595
    #42 0x556d22819dbd in main /home/lebedevri/darktable/src/chart/main.c:1759
    #43 0x7fb99254e2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #44 0x556d2281a419 in _start (/opt/darktable/bin/darktable-chart+0xa419)

Address 0x7ffd9a19b2e8 is located in stack of thread T0 at offset 4936 in frame
    #0 0x556d2281b22f in process_data /home/lebedevri/darktable/src/chart/main.c:869

  This frame has 8 object(s):
    [32, 40) 'avgerr'
    [96, 104) 'maxerr'
    [160, 184) 'target'
    [224, 248) 'coeff'
    [288, 804) 'params'
    [864, 2044) 'params'
    [2080, 3280) 'cperm'
    [3328, 4936) 'tonecurve' <== Memory access at offset 4936 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/lebedevri/darktable/src/chart/tonecurve.c:33 in tonecurve_create
Shadow bytes around the buggy address:
  0x10003342b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003342b610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003342b620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003342b630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003342b640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003342b650: 00 00 00 00 00 00 00 00 00 00 00 00 00[f4]f4 f4
  0x10003342b660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003342b670: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4
  0x10003342b680: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
  0x10003342b690: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
  0x10003342b6a0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31633==ABORTING
darktable-chart

Associated revisions

Revision 6f62e27b (diff)
Added by Roman Lebedev over 2 years ago

dt-chart: handle tonecurve better. Fixes #11350

We already allocate two buffers for tonecurve values.
I think we can simply use these buffers rather than allocating
two more buffers, and then basically copying them point-by-point.

History

#1 Updated by Roman Lebedev over 2 years ago

  • Assignee deleted (Tobias Ellinghaus)

#2 Updated by Roman Lebedev over 2 years ago

  • Target version set to 2.2.0

#3 Updated by Roman Lebedev over 2 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Fixed

Also available in: Atom PDF

Go to top