MantisBT - LibNSBMP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002446LibNSBMP[All Projects] Generalpublic2016-03-17 22:432016-11-22 22:00
ReporterRenchen 
Assigned ToVincent Sanders 
PrioritynoneSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformWindows, Mac, LinuxOSOS Version
Fixed in CI build #0195
Reported in CI build #
Summary0002446: Crash when decoding a bmp file
DescriptionI have a rle-8 encoded bmp file. When I passed that file into libnsbmp, it crashes immediately because of invalid memory access.
Steps To ReproduceDecode that bmp file using libnsbmp.
TagsNo tags attached.
Relationships
Attached Files? crash.bmp (1,684) 2016-03-17 22:43
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=424&type=bug
bmp

Notes
(0001364)
Chris Young   
2016-03-31 11:02   
Stack trace:
    bmp_decode_rle.part.0()+0x40c (section 1 @ 0x2A02B0)
    bmp_decode_rle.part.0()+0x60 (section 1 @ 0x29FF04)
    [image/bmp.c:183] nsbmp_redraw()+0x88 (section 1 @ 0x14590C)
    [content/content.c:636] content_scaled_redraw()+0x138 (section 1 @ 0xE7210)
    [amiga/bitmap.c:593] bitmap_render()+0xbc (section 1 @ 0x22A4)
    [desktop/browser_history.c:524] browser_window_history_add()+0x284 (section
1 @ 0x11DE98)
    [desktop/browser.c:1409] browser_window_callback()+0x6ec (section 1 @
0x11A978)
    [content/hlcache.c:191] hlcache_content_callback()+0x4c (section 1 @
0xF50D0)
    [content/content.c:772] content_set_ready()+0xf8 (section 1 @ 0xE5ED8)
    [image/bmp.c:168] nsbmp_convert()+0x148 (section 1 @ 0x145AB8)
    [content/content.c:286] content_llcache_callback()+0x210 (section 1 @
0xE62A4)
    [content/llcache.c:3003] llcache_object_notify_users()+0x1ec (section 1 @
0xF8678)
    [content/llcache.c:3430] llcache_catch_up_all_users()+0x5c (section 1 @
0xF882C)
    [amiga/schedule.c:248] ami_schedule_handle()+0x16c (section 1 @ 0x3B3E0)
    [amiga/gui.c:2819] ami_get_msg()+0x4f4 (section 1 @ 0x1D6B8)
    [amiga/gui.c:5702] main()+0xea8 (section 1 @ 0x21798)
    native kernel module newlib.library.kmod+0x000020ac
    native kernel module newlib.library.kmod+0x00002d5c
    native kernel module newlib.library.kmod+0x00002ef0
    _start()+0x170 (section 1 @ 0x16C)
    native kernel module dos.library.kmod+0x00024c18
    native kernel module kernel+0x0003b648
    native kernel module kernel+0x0003b6c8
(0001384)
Vincent Sanders   
2016-08-12 15:06   
OK added failing bitmap to tests
This fails because the file header in the bitmap points to the image data appearing at offset 54 (0x36) which is the palette entries (should be 1078 (0x436) )

libnsbmp explodes when trying to interpret the palette entries as RLE8. Apariently because it runs off the front out the output block which needs fixing.

Separately a check that moves the data pointer after the palette if it is present.
(0001386)
Vincent Sanders   
2016-08-14 12:59   
fixed in head of tree ready for next release.

library is now robust in the face of bad RLE data
library now copes with bad file header data offset in images with palettes

Thanks for the report
(0001432)
Vincent Sanders   
2016-11-22 22:00   
this issue has been closed because it is included in the 3.6 release

Issue History
Date ModifiedUsernameFieldChange
2016-03-17 22:43RenchenNew Issue
2016-03-17 22:43RenchenFile Added: crash.bmp
2016-03-31 11:02Chris YoungNote Added: 0001364
2016-08-12 15:06Vincent SandersNote Added: 0001384
2016-08-12 15:06Vincent SandersAssigned To => Vincent Sanders
2016-08-12 15:06Vincent SandersPriorityimmediate => none
2016-08-12 15:06Vincent SandersStatusnew => confirmed
2016-08-14 12:59Vincent SandersFixed in CI build # => 0195
2016-08-14 12:59Vincent SandersNote Added: 0001386
2016-08-14 12:59Vincent SandersStatusconfirmed => resolved
2016-08-14 12:59Vincent SandersResolutionopen => fixed
2016-11-22 22:00Vincent SandersNote Added: 0001432
2016-11-22 22:00Vincent SandersStatusresolved => closed