Bug#832579: marked as done (pixman: SIGSEGV after rowstride overflow in large image)

To: Timo Aaltonen <tjaalton@debian.org>
Subject: Bug#832579: marked as done (pixman: SIGSEGV after rowstride overflow in large image)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 03 Dec 2020 13:51:06 +0000
Message-id: <[🔎] handler.832579.D838650.160700332412050.ackdone@bugs.debian.org>
Reply-to: 832579@bugs.debian.org
References: <E1kkoyR-000Fjf-Be@fasolo.debian.org> <20160727081725.3918.88587.reportbug@pcale.tana>

Your message dated Thu, 03 Dec 2020 13:48:43 +0000
with message-id <E1kkoyR-000Fjf-Be@fasolo.debian.org>
and subject line Bug#838650: fixed in pixman 0.40.0-1
has caused the Debian Bug report #838650,
regarding pixman: SIGSEGV after rowstride overflow in large image
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
838650: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838650
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pixman: SIGSEGV after rowstride overflow in large image
From: Alessandro Vesely <vesely@tana.it>
Date: Wed, 27 Jul 2016 10:17:25 +0200
Message-id: <20160727081725.3918.88587.reportbug@pcale.tana>

Source: pixman
Version: 0.32.6
Severity: normal
Tags: patch

Dear Maintainer,

the following message was being written by dbg after launching evince on a pdf
containing a heavy image:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe5f92700 (LWP 32388)]
bits_image_fetch_bilinear_affine (repeat_mode=PIXMAN_REPEAT_PAD,
format=PIXMAN_x8r8g8b8, convert_pixel=<optimized out>, mask=0x7fffe5f8a5a0,
buffer=0x7fffe5f8a3a0,
    width=<optimized out>, line=<optimized out>, offset=<optimized out>,
image=0x7fffd00c4ea0) at ../../pixman/pixman-fast-path.c:2917

In order to understand the bug severity, consider that I obtained a large image
by exporting a 600dpi bitmap of an A0 poster.  Then I converted it to pdf.  I
brought an USB key with the resulting 170MB document to the print shop down the
road and got a hard copy.  Their plotter resolves 600dpi, and although it takes
a few minutes to load the file, producing that kind of files is still the most
practical approach, in my experience.

The nature of the bug is clear from the following excerpt:

(gdb) info locals
[...]
width = 19866
height = 28087
row1 = 0x7ffe8f375618 <error: Cannot access memory at address 0x7ffe8f375618>
row2 = 0x7ffe8f388c80 <error: Cannot access memory at address 0x7ffe8f388c80>

Indeed, after applying the patch I attach, evince works well.

Ale



-- System Information:
Debian Release: 8.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- a/pixman/pixman-fast-path.c
+++ b/pixman/pixman-fast-path.c
@@ -2911,8 +2911,8 @@
 	    repeat (repeat_mode, &x2, width);
 	    repeat (repeat_mode, &y2, height);
 
-	    row1 = (uint8_t *)bits->bits + bits->rowstride * 4 * y1;
-	    row2 = (uint8_t *)bits->bits + bits->rowstride * 4 * y2;
+	    row1 = (uint8_t *)bits->bits + (long)bits->rowstride * 4L * (long)y1;
+	    row2 = (uint8_t *)bits->bits + (long)bits->rowstride * 4L * (long)y2;
 
 	    tl = convert_pixel (row1, x1) | mask;
 	    tr = convert_pixel (row1, x2) | mask;

--- End Message ---

--- Begin Message ---

To: 838650-close@bugs.debian.org
Subject: Bug#838650: fixed in pixman 0.40.0-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 03 Dec 2020 13:48:43 +0000
Message-id: <E1kkoyR-000Fjf-Be@fasolo.debian.org>
Reply-to: Timo Aaltonen <tjaalton@debian.org>

Source: pixman
Source-Version: 0.40.0-1
Done: Timo Aaltonen <tjaalton@debian.org>

We believe that the bug you reported is fixed in the latest version of
pixman, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated pixman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Dec 2020 15:28:13 +0200
Source: pixman
Architecture: source
Version: 0.40.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Closes: 832579 838650 958298
Changes:
 pixman (0.40.0-1) unstable; urgency=medium
 .
   * New upstream release. (Closes: #958298, #832579, #838650)
   * control, rules: Migrate to debhelper-compat, bump to 13.
   * symbols: Updated, bump shlibs.
Checksums-Sha1:
 a651e3aab640fc081d46129a314bbcbbefb5728b 2021 pixman_0.40.0-1.dsc
 d7baa6377b6f48e29db011c669788bb1268d08ad 913976 pixman_0.40.0.orig.tar.gz
 e1c53d5d620c794cf92c8465d751d75f0ec3150b 319428 pixman_0.40.0-1.diff.gz
 1974a5bffac33be41058c6752f81323138a473ba 7179 pixman_0.40.0-1_source.buildinfo
Checksums-Sha256:
 908752b9c69211606daa8ee92bd929d80ad5f1c4d68f87b98f4fb33e01d4e455 2021 pixman_0.40.0-1.dsc
 6d200dec3740d9ec4ec8d1180e25779c00bc749f94278c8b9021f5534db223fc 913976 pixman_0.40.0.orig.tar.gz
 66a769eee187ce84ff416752f6913ad2ac6165f3bb61696cf1b43bdef48c41ab 319428 pixman_0.40.0-1.diff.gz
 54346a0369f3ac863430a2acce43138a7e8fcc435c492ae3bb3b35159c2582d7 7179 pixman_0.40.0-1_source.buildinfo
Files:
 fb870406fdcdc9ab2945053c64bb9673 2021 devel optional pixman_0.40.0-1.dsc
 73858c0862dd9896fb5f62ae267084a4 913976 devel optional pixman_0.40.0.orig.tar.gz
 2c246aa959ac92e00f92b1403d954522 319428 devel optional pixman_0.40.0-1.diff.gz
 3d4234d25c4d62cde38507ddf328940a 7179 devel optional pixman_0.40.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAl/I6m0ACgkQy3AxZaiJ
hNzGlw/7BPmAzZfA/cOCeSSSxYn6Of1xL0IOHQeN7AREoqletdfw5zov7vFr6hgg
cJ0SHKYN63efqEW+YYyCBGVhAvwjnZFBF8R9c7jdDtJxVdW4efysGrX75Xkm1+9n
EvMyXy/hnZkMjAEhgfFk/1LTRiZADsU3gnWiTxsFdcRGP0jkZPGxLQFpjFUKFx9K
Zwi1X1Mrm8vyBcUq7snPUcF8iC23v5nfuEfHIWNBk4CUNF3QSqxDwUt3tMLQGjpw
rnT1jdjj/PV3XpcBTFrGaX8xxYiypVNM66QySQ+gihtCtQs4iS7kq2wVdEbhn88y
mAuu/gHOSTnd1BYmF0ZLgvLxmaCVodsCtV0QYJD5fs28sfOUu1c4OjdcqYjRGSH+
DEHz5AXYy6K8D3//uRM7iE94Z53kTVH0++4FQKXHFetLReLg3/KTg+SpObIflbxN
eeoTQTWTj03LR2Y+48nm6N8IAbRDOYSPrVVWcw6GVb+6/sUF8YKLYf7pFF9kVRB9
MVHyvPO9Ahn/nb7bTMtsl1WZQ9TstntuuIt9mxIhCmzsWTHv+Ik32m+iQi+oopvS
kTZzbQGklwc8HezUKcAhfQ5yeCZiE8eJIC3ZYMzEB+uoKmikxgGySUoB3vucHnO5
PSKMFJXCTAwWdCer1sWU9r8U/zCx96Vx/umPSgyQLHO31NNSyRQ=
=yemp
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#838650: marked as done (pixman: rowstride integer overflow)
Next by Date: Bug#958298: marked as done (New upstream release (0.40.0))
Previous by thread: Bug#832579: marked as done (pixman: SIGSEGV after rowstride overflow in large image)
Next by thread: Bug#958298: marked as done (New upstream release (0.40.0))
Index(es):
- Date
- Thread