memory corruption when open crafted sgi
Note: bug reporters are expected to have verified the bug still exists either in the last stable version of GIMP or on updated development code (master branch).
Operating System: [Windows? macOS? Linux?] I tested it on linux but it will work on every os.
Package: [flatpak? Installer from gimp.org? If another installer, tell us where from]
Description of the bug
plug-ins/file-sgi/sgi-lib.c
when open sgi file sgiOpenFile
function will be called
sgi_t *
sgiOpenFile(FILE *file, /* I - File to open */
int mode, /* I - Open mode (SGI_READ or SGI_WRITE) */
int comp, /* I - Type of compression */
int bpp, /* I - Bytes per pixel */
int xsize, /* I - Width of image in pixels */
int ysize, /* I - Height of image in pixels */
int zsize) /* I - Number of channels */
{
int i, j; /* Looping var */
char name[80]; /* Name of file in image header */
short magic; /* Magic number */
sgi_t *sgip; /* New image pointer */
if ((sgip = calloc(sizeof(sgi_t), 1)) == NULL)
return (NULL);
sgip->file = file;
sgip->swapBytes = 0;
...
sgip->comp = getc(sgip->file);
sgip->bpp = getc(sgip->file);
getshort(sgip); /* Dimensions */
sgip->xsize = getshort(sgip);
sgip->ysize = getshort(sgip);
sgip->zsize = getshort(sgip);
getlong(sgip); /* Minimum pixel */
getlong(sgip); /* Maximum pixel */
if (sgip->comp)
{
/*
* This file is compressed; read the scanline tables...
*/
fseek(sgip->file, 512, SEEK_SET);
sgip->table = calloc(sgip->zsize, sizeof(long *));
sgip->table[0] = calloc(sgip->ysize * sgip->zsize, sizeof(long));
for (i = 1; i < sgip->zsize; i ++)
sgip->table[i] = sgip->table[0] + i * sgip->ysize;
for (i = 0; i < sgip->zsize; i ++)
for (j = 0; j < sgip->ysize; j ++)
sgip->table[i][j] = getlong(sgip);
short size val sgip->ysize
and sgip->zsize
are in user control
when calloc(sgip->ysize * sgip->zsize, sizeof(long));
it need ysizezsizesizeof(long) size memory.
For example ysize=0xffff and zsize=0xffff, it need 0xffff0xffff8.
at x64, allocation of that size will return null.
then sgip->table[i] will be
sgip->table[i] = 0(null)+i*sgip->ysize
so it crashed when sgip->table[i][j] = getlong(sgip);
Reproduction
Is the bug reproducible? [Always / Randomly / Happened only once ]
Always
Reproduction steps:
- just open craft sgi file
this is sample test.sgi
…
Actual result:
Additional information
If you have a backtrace for a crash or a warning, paste it here.