2020-11-26 00:42 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002446LibNSBMP[All Projects] Generalpublic2016-11-22 22:00
ReporterRenchen 
Assigned ToVincent Sanders 
PrioritynoneSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformWindows, Mac, LinuxOSOS Version
Summary0002446: Crash when decoding a bmp file
DescriptionI have a rle-8 encoded bmp file. When I passed that file into libnsbmp, it crashes immediately because of invalid memory access.
Steps To ReproduceDecode that bmp file using libnsbmp.
TagsNo tags attached.
Fixed in CI build #0195
Reported in CI build #
Attached Files

-Relationships
+Relationships

-Notes
Chris Young

~0001364

Chris Young (developer)

Stack trace:
    bmp_decode_rle.part.0()+0x40c (section 1 @ 0x2A02B0)
    bmp_decode_rle.part.0()+0x60 (section 1 @ 0x29FF04)
    [image/bmp.c:183] nsbmp_redraw()+0x88 (section 1 @ 0x14590C)
    [content/content.c:636] content_scaled_redraw()+0x138 (section 1 @ 0xE7210)
    [amiga/bitmap.c:593] bitmap_render()+0xbc (section 1 @ 0x22A4)
    [desktop/browser_history.c:524] browser_window_history_add()+0x284 (section
1 @ 0x11DE98)
    [desktop/browser.c:1409] browser_window_callback()+0x6ec (section 1 @
0x11A978)
    [content/hlcache.c:191] hlcache_content_callback()+0x4c (section 1 @
0xF50D0)
    [content/content.c:772] content_set_ready()+0xf8 (section 1 @ 0xE5ED8)
    [image/bmp.c:168] nsbmp_convert()+0x148 (section 1 @ 0x145AB8)
    [content/content.c:286] content_llcache_callback()+0x210 (section 1 @
0xE62A4)
    [content/llcache.c:3003] llcache_object_notify_users()+0x1ec (section 1 @
0xF8678)
    [content/llcache.c:3430] llcache_catch_up_all_users()+0x5c (section 1 @
0xF882C)
    [amiga/schedule.c:248] ami_schedule_handle()+0x16c (section 1 @ 0x3B3E0)
    [amiga/gui.c:2819] ami_get_msg()+0x4f4 (section 1 @ 0x1D6B8)
    [amiga/gui.c:5702] main()+0xea8 (section 1 @ 0x21798)
    native kernel module newlib.library.kmod+0x000020ac
    native kernel module newlib.library.kmod+0x00002d5c
    native kernel module newlib.library.kmod+0x00002ef0
    _start()+0x170 (section 1 @ 0x16C)
    native kernel module dos.library.kmod+0x00024c18
    native kernel module kernel+0x0003b648
    native kernel module kernel+0x0003b6c8
Vincent Sanders

~0001384

Vincent Sanders (administrator)

OK added failing bitmap to tests
This fails because the file header in the bitmap points to the image data appearing at offset 54 (0x36) which is the palette entries (should be 1078 (0x436) )

libnsbmp explodes when trying to interpret the palette entries as RLE8. Apariently because it runs off the front out the output block which needs fixing.

Separately a check that moves the data pointer after the palette if it is present.
Vincent Sanders

~0001386

Vincent Sanders (administrator)

fixed in head of tree ready for next release.

library is now robust in the face of bad RLE data
library now copes with bad file header data offset in images with palettes

Thanks for the report
Vincent Sanders

~0001432

Vincent Sanders (administrator)

this issue has been closed because it is included in the 3.6 release
+Notes

-Issue History
Date Modified Username Field Change
2016-03-17 22:43 Renchen New Issue
2016-03-17 22:43 Renchen File Added: crash.bmp
2016-03-31 11:02 Chris Young Note Added: 0001364
2016-08-12 15:06 Vincent Sanders Note Added: 0001384
2016-08-12 15:06 Vincent Sanders Assigned To => Vincent Sanders
2016-08-12 15:06 Vincent Sanders Priority immediate => none
2016-08-12 15:06 Vincent Sanders Status new => confirmed
2016-08-14 12:59 Vincent Sanders Fixed in CI build # => 0195
2016-08-14 12:59 Vincent Sanders Note Added: 0001386
2016-08-14 12:59 Vincent Sanders Status confirmed => resolved
2016-08-14 12:59 Vincent Sanders Resolution open => fixed
2016-11-22 22:00 Vincent Sanders Note Added: 0001432
2016-11-22 22:00 Vincent Sanders Status resolved => closed
+Issue History