Bug#868177: imlib2: ARGB loader: invalid free()
12.01.2018 23:28, Markus Koschany пишет: Hello Alexander, thanks for the additional information. Debian bug #868177 will be fixed soon. Do you know whether https://bugs.debian.org/868151 is fixed as well? To me it seems that there is still no check for the return value of sscanf in loader_xpm.c. Hi. Yes, it is still not fixed. By the way, how do you track bugs for imlib2 upstream? I don't track them. imlib2 is a part of enlightenment and there is a bugtracker https://phab.enlightenment.org/maniphest/ But I guess that it would be best to ask about this imlib2 developer Kim Woelders.
Bug#868177: imlib2: ARGB loader: invalid free()
On Mon, 11 Dec 2017 14:24:07 +0300 Alexander Volkovwrote: > It was fixed by > https://git.enlightenment.org/legacy/imlib2.git/commit/?id=d5ebec2948d93c0c47c249e1506a1a6bdbf27b68 > Please, package imlib2 1.4.10 with the latest commit > https://git.enlightenment.org/legacy/imlib2.git/commit/?id=812a691b160c94de76f4964093e7644c3ae3b9b5 > as a patch. > Hello Alexander, thanks for the additional information. Debian bug #868177 will be fixed soon. Do you know whether https://bugs.debian.org/868151 is fixed as well? To me it seems that there is still no check for the return value of sscanf in loader_xpm.c. By the way, how do you track bugs for imlib2 upstream? Regards, Markus
Bug#868177: imlib2: ARGB loader: invalid free()
It was fixed by https://git.enlightenment.org/legacy/imlib2.git/commit/?id=d5ebec2948d93c0c47c249e1506a1a6bdbf27b68 Please, package imlib2 1.4.10 with the latest commit https://git.enlightenment.org/legacy/imlib2.git/commit/?id=812a691b160c94de76f4964093e7644c3ae3b9b5 as a patch.
Bug#868177: imlib2: ARGB loader: invalid free()
Package: libimlib2 Version: 1.4.8-1 Tags: security imlib2 crashes when loading the attached file: $ debian/tmp/usr/bin/imlib2_conv invalid-free.argb /dev/null *** Error in `debian/tmp/usr/bin/imlib2_conv': double free or corruption (out): 0x565ff220 *** Valgrind says it's an invalid free(): Invalid free() / delete / delete[] / realloc() at 0x482F438: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) by 0x5311A67: load (loader_argb.c:86) by 0x4860B16: imlib_save_image (api.c:4606) by 0x108939: main (imlib2_conv.c:76) Address 0x4dd4818 is 8 bytes inside a block of size 16 alloc'd at 0x482E27C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) by 0x5311987: load (loader_argb.c:62) by 0x4860B16: imlib_save_image (api.c:4606) by 0x108939: main (imlib2_conv.c:76) Found using american fuzzy lop: http://lcamtuf.coredump.cx/afl/ -- System Information: Architecture: i386 Versions of packages libimlib2 depends on: ii libbz2-1.0 1.0.6-8.1 ii libc62.24-12 ii libfreetype6 2.8-0.2 ii libgif7 5.1.4-0.4 ii libid3tag0 0.15.1b-12 ii libjpeg62-turbo 1:1.5.1-2 ii libpng16-16 1.6.30-2 ii libtiff5 4.0.8-3 ii libx11-6 2:1.6.4-3 ii libxext6 2:1.3.3-1+b2 ii zlib1g 1:1.2.8.dfsg-5 -- Jakub Wilk ARGB 2 2