[directfb-dev] [RESEND] GIF image makes DFB crash

Tue, 03 Apr 2012 10:13:48 -0700 

Hello,

In [1] you can find attached a corrupted gif image that makes DirectFB
1.4.15 crash
when trying to render it. The app last words are these:

(GIFLOADER) circular table entry BIG ERROR
[snip] (There a 25k of this!)
(GIFLOADER) circular table entry BIG ERROR
(GIFLOADER) circular table entry BIG ERROR
(GIFLOADER) circular table entry BIG ERROR
(GIFLOADER) circular table entry BIG ERROR
(!) [ 2201:    0.000] --> Caught signal 11 (at 0x8119000, invalid address) <--
 (!!!)  *** WARNING [still objects in 'Window Pool'] *** [object.c:241
in fusion_object_pool_destroy()]
 (!!!)  *** WARNING [still objects in 'Layer Region Pool'] ***
[object.c:241 in fusion_object_pool_destroy()]
 (!!!)  *** WARNING [still objects in 'Layer Context Pool'] ***
[object.c:241 in fusion_object_pool_destroy()]
 (!!!)  *** WARNING [still objects in 'GraphicsState Pool'] ***
[object.c:241 in fusion_object_pool_destroy()]
 (!!!)  *** WARNING [still objects in 'Surface Pool'] ***
[object.c:241 in fusion_object_pool_destroy()]
Aborted
---

The offending code is here:

              if (code == data->table[0][code]) {
                   GIFERRORMSG("circular table entry BIG ERROR");
              }
              code = data->table[0][code];

Not being a gif expert I noticed gnome wasn't crashing but
showing a pretty message, so this is relevant code in gdk-pixbuf:

                       if (code == context->lzw_table[0][code]) {
                               g_set_error_literal (context->error,
                                                    GDK_PIXBUF_ERROR,

GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                                    _("Circular table
entry in GIF file"));
                               return -2;
                       }
                       code = context->lzw_table[0][code];

Notice the "return -2" line!

I've added this return (and another one) to my DFB library and now
instead of crashing, CreateImageProvider() simply fails.
I'm posting it here because perhaps it could be interesting to someone
or could even be pushed upstream.

In any case I would *love* to know if this could break anything
and what's the rationale behind this?

I guess I could just prepare a patch an send it here for revision,
the problem is -as I already said- there seems to exist several code
paths that could make DFB crash. So I'm not sure what's the *right thing to do*:

1. Add return in a few spots, or
2. Add return to GIFERRORMSG macro or similar.

Thanks a lot,
Ezequiel.

[1] https://bugzilla.stlinux.com/show_bug.cgi?id=17983
_______________________________________________
directfb-dev mailing list
directfb-dev@directfb.org
http://mail.directfb.org/cgi-bin/mailman/listinfo/directfb-dev

Reply via email to