[Mono-bugs] [Bug 78181][Maj] New - string termination bug when
loading gifs
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Mon Apr 24 23:01:18 EDT 2006
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by matt at use.net.
http://bugzilla.ximian.com/show_bug.cgi?id=78181
--- shadow/78181 2006-04-24 23:01:18.000000000 -0400
+++ shadow/78181.tmp.21138 2006-04-24 23:01:18.000000000 -0400
@@ -0,0 +1,63 @@
+Bug#: 78181
+Product: Mono: Class Libraries
+Version: 1.1
+OS: GNU/Linux [Other]
+OS Details:
+Status: NEW
+Resolution:
+Severity:
+Priority: Major
+Component: libgdiplus
+AssignedTo: peter at novonyx.com
+ReportedBy: matt at use.net
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL:
+Cc:
+Summary: string termination bug when loading gifs
+
+Description of Problem:
+
+
+Steps to reproduce the problem:
+1. run SWF unit tests under valgrind
+
+Actual Results:
+***** MonoTests.System.Windows.Forms.PictureBoxTest.PictureBoxPropertyTest
+==19034==
+==19034== Invalid read of size 1
+==19034== at 0x4A19F53: strlen (mc_replace_strmem.c:245)
+==19034== by 0xB4D0743: gdip_bitmapdata_property_add_ASCII (bitmap.c:256)
+==19034== by 0xB4FB557: gdip_load_gif_image (gifcodec.c:427)
+==19034== by 0xB4EAE64: GdipLoadImageFromFile (image.c:642)
+==19034== by 0xEA9BA2E: ???
+==19034== by 0x455C1C: mono_runtime_invoke_array (object.c:2276)
+==19034== by 0x45C180: ves_icall_InternalInvoke (icall.c:2665)
+==19034== by 0x9E80070: ???
+==19034== by 0xA301EA4: ???
+==19034== by 0xAEE4C8C: ???
+==19034== by 0xAEE4950: ???
+==19034== by 0xAEE2D60: ???
+==19034== Address 0x689C165 is 0 bytes after a block of size 21 alloc'd
+==19034== at 0x4A188CE: malloc (vg_replace_malloc.c:149)
+==19034== by 0xB4FAD21: AddExtensionBlockMono (gifcodec.c:144)
+==19034== by 0xB4FAF6E: DGifSlurpMono (gifcodec.c:230)
+==19034== by 0xB4FB003: gdip_load_gif_image (gifcodec.c:298)
+==19034== by 0xB4EAE64: GdipLoadImageFromFile (image.c:642)
+==19034== by 0xEA9BA2E: ???
+==19034== by 0x455C1C: mono_runtime_invoke_array (object.c:2276)
+==19034== by 0x45C180: ves_icall_InternalInvoke (icall.c:2665)
+==19034== by 0x9E80070: ???
+==19034== by 0xA301EA4: ???
+==19034== by 0xAEE4C8C: ???
+==19034== by 0xAEE4950: ???
+
+
+Expected Results:
+The strlen() should be replaced with something more appropriate, or the
+data should be explicitly null terminated.
+
+This appears to be happening because the strlen() is happening on data that
+hasn't been null terminated. It will read much farther past the end of the
+allocated pointer if the next byte after it doesn't happen to be 0. This
+will probably produce severe memory corruption in some memory layouts.
More information about the mono-bugs
mailing list