Bug 3704

Summary: xv crashes when viewing PNGs with iTXt comments
Product: Fedora Reporter: Ian Collier <imc>
Component: xvAssignee: L. Gabriel Somlo <somlo>
Status: RESOLVED FIXED    
Severity: normal CC: sergio
Priority: P5    
Version: 22   
Hardware: All   
OS: GNU/Linux   
namespace:
Attachments: sample image

Description Ian Collier 2015-07-02 16:47:01 CEST
Created attachment 1452 [details]
sample image

Attached is a PNG image saved by GIMP.  When viewing this image, xv
overruns a buffer, which leads to memory faults.

$ LD_PRELOAD=/usr/lib64/libefence.so xv blank.png
  Electric Fence 2.2.2 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
Segmentation fault (core dumped)

It looks like this is because the current PNG implementation for xv does
not know about iTXt chunks.  At about line 1146 of xvpng.c it calculates
the length needed for the buffer by adding up the _text[i].text_length
(and also key lengths) of all chunks.  However, png_get_text() is specified
to return zero for text_length if the text was an iTXt chunk:

(gdb) print _text[i]
$6 = {compression = 2, key = 0x7ffff7652fe0 "Comment", 
  text = 0x7ffff7652fea "Created with GIMP", text_length = 0, 
  itxt_length = 17, lang = 0x7ffff7652fe8 "", lang_key = 0x7ffff7652fe9 ""}

Version of xv under test: xv-3.10a.jumbopatch.20070520-20.fc22.x86_64
Comment 1 L. Gabriel Somlo 2015-07-03 18:13:37 CEST
This is a dupe of the (now closed) 3141. I'm also fixing 3142, and I just discovered there is no branch for F-21 and F-22 in cvs. So, therefore:

Package CVS request
======================
Package Name: xv
Owners: somlo
Branches: F-21 F-22
----------------------
License tag: nonfree

Thanks,
--Gabriel
Comment 2 L. Gabriel Somlo 2015-07-03 18:27:22 CEST
fixed in devel, will request F-21 and F-22 builds as soon as I have branches for them in CVS.

Thanks,
--Gabriel
Comment 3 Sérgio Basto 2015-12-30 05:04:49 CET
Hi, L. Gabriel Somlo 
if you still need update this package , please read new temporary way to update packages on RPMFusion 

http://rpmfusion.org/Contributors_github
Comment 4 Sérgio Basto 2016-01-05 18:08:45 CET
Hi, 
(In reply to comment #2)
> fixed in devel, will request F-21 and F-22 builds as soon as I have branches
> for them in CVS.
> 
> Thanks,
> --Gabriel


xv-3.10a.jumbopatch is updated in F22 and F23 with commits of 2015-07-03 


F23:
xv xv-3.10a.jumbopatch.20070520-20.fc22.src.rpm x86_64 rpmfusion-nonfree
xv xv-3.10a.jumbopatch.20070520-23.fc23.src.rpm x86_64 rpmfusion-nonfree-updates-testing
xv-doc xv-3.10a.jumbopatch.20070520-20.fc22.src.rpm noarch rpmfusion-nonfree
xv-doc xv-3.10a.jumbopatch.20070520-23.fc23.src.rpm noarch rpmfusion-nonfree-updates-testing

F22: 
xv-3.10a.jumbopatch.20070520-20.fc22.src.rpm noarch rpmfusion-nonfree
xv-3.10a.jumbopatch.20070520-20.fc22.src.rpm x86_64 rpmfusion-nonfree
xv-3.10a.jumbopatch.20070520-23.fc22.src.rpm noarch rpmfusion-nonfree-updates
xv-3.10a.jumbopatch.20070520-23.fc22.src.rpm x86_64 rpmfusion-nonfree-updates


So I'm closing this bug report with resolved ! 

Thanks.