[Mono-bugs] [Bug 78181][Maj] New - string termination bug when loading gifs

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Mon Apr 24 23:01:18 EDT 2006 

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by matt at use.net.

http://bugzilla.ximian.com/show_bug.cgi?id=78181

--- shadow/78181	2006-04-24 23:01:18.000000000 -0400
+++ shadow/78181.tmp.21138	2006-04-24 23:01:18.000000000 -0400
@@ -0,0 +1,63 @@
+Bug#: 78181
+Product: Mono: Class Libraries
+Version: 1.1
+OS: GNU/Linux [Other]
+OS Details: 
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Major
+Component: libgdiplus
+AssignedTo: peter at novonyx.com                            
+ReportedBy: matt at use.net               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: string termination bug when loading gifs
+
+Description of Problem:
+
+
+Steps to reproduce the problem:
+1. run SWF unit tests under valgrind
+
+Actual Results:
+***** MonoTests.System.Windows.Forms.PictureBoxTest.PictureBoxPropertyTest
+==19034== 
+==19034== Invalid read of size 1
+==19034==    at 0x4A19F53: strlen (mc_replace_strmem.c:245)
+==19034==    by 0xB4D0743: gdip_bitmapdata_property_add_ASCII (bitmap.c:256)
+==19034==    by 0xB4FB557: gdip_load_gif_image (gifcodec.c:427)
+==19034==    by 0xB4EAE64: GdipLoadImageFromFile (image.c:642)
+==19034==    by 0xEA9BA2E: ???
+==19034==    by 0x455C1C: mono_runtime_invoke_array (object.c:2276)
+==19034==    by 0x45C180: ves_icall_InternalInvoke (icall.c:2665)
+==19034==    by 0x9E80070: ???
+==19034==    by 0xA301EA4: ???
+==19034==    by 0xAEE4C8C: ???
+==19034==    by 0xAEE4950: ???
+==19034==    by 0xAEE2D60: ???
+==19034==  Address 0x689C165 is 0 bytes after a block of size 21 alloc'd
+==19034==    at 0x4A188CE: malloc (vg_replace_malloc.c:149)
+==19034==    by 0xB4FAD21: AddExtensionBlockMono (gifcodec.c:144)
+==19034==    by 0xB4FAF6E: DGifSlurpMono (gifcodec.c:230)
+==19034==    by 0xB4FB003: gdip_load_gif_image (gifcodec.c:298)
+==19034==    by 0xB4EAE64: GdipLoadImageFromFile (image.c:642)
+==19034==    by 0xEA9BA2E: ???
+==19034==    by 0x455C1C: mono_runtime_invoke_array (object.c:2276)
+==19034==    by 0x45C180: ves_icall_InternalInvoke (icall.c:2665)
+==19034==    by 0x9E80070: ???
+==19034==    by 0xA301EA4: ???
+==19034==    by 0xAEE4C8C: ???
+==19034==    by 0xAEE4950: ???
+
+
+Expected Results:
+The strlen() should be replaced with something more appropriate, or the
+data should be explicitly null terminated.
+
+This appears to be happening because the strlen() is happening on data that
+hasn't been null terminated. It will read much farther past the end of the
+allocated pointer if the next byte after it doesn't happen to be 0. This
+will probably produce severe memory corruption in some memory layouts.

More information about the mono-bugs mailing list