Skip to content

matrixload: ensure sniff data is null-terminated #4541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 29, 2025
Merged

matrixload: ensure sniff data is null-terminated #4541

merged 1 commit into from
May 29, 2025

Conversation

kleisauke
Copy link
Member

As required by g_strlcpy().

Details 
=================================================================
==5472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x12acb2f65b40 at pc 0x7ffa9109cdc8 bp 0x00551e3fb3d0 sp 0x00551e3fb418
READ of size 1 at 0x12acb2f65b40 thread T-1
    #0 0x7ffa9109cdc7 in g_strlcpy /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/gstrfuncs.c:1476:14
    #1 0x7ffa9185d214 in vips_foreign_load_matrix_source_is_a_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/matrixload.c:432:2
    #2 0x7ffa9182b30a in vips_foreign_find_load_source_sub /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:747:7
    #3 0x7ffa91d53c29 in vips_slist_map2 /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/iofuncs/util.c:118:33
    #4 0x7ffa9182b139 in vips_foreign_map /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:499:11
    #5 0x7ffa9182b139 in vips_foreign_find_load_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:777:46
    #6 0x7ffa38c19a24  (<unknown module>)
0x12acb2f65b40 is located 0 bytes after 128-byte region [0x12acb2f65ac0,0x12acb2f65b40)
allocated by thread T0 here:
    #0 0x7ffa904ba636 in realloc /usr/local/mxe/tmp-compiler-rt-sanitizers-x86_64-w64-mingw32.shared.all.debug/llvm-project-20.1.5.src/compiler-rt/lib/asan/asan_malloc_win.cpp:110:3
    #1 0x7ffa91063561 in g_realloc /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/gmem.c:171:16
    #2 0x7ffa90fc6f4b in g_array_maybe_expand /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/garray.c:1074:21
    #3 0x7ffa90fc7d74 in g_array_set_size /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/garray.c:766:7
    #4 0x7ffa91cd2b56 in vips_source_sniff_at_most /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/iofuncs/source.c:1354:2
    #5 0x7ffa9185d1f0 in vips_foreign_load_matrix_source_is_a_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/matrixload.c:430:20
    #6 0x7ffa9182b30a in vips_foreign_find_load_source_sub /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:747:7
    #7 0x7ffa91d53c29 in vips_slist_map2 /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/iofuncs/util.c:118:33
    #8 0x7ffa9182b139 in vips_foreign_map /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:499:11
    #9 0x7ffa9182b139 in vips_foreign_find_load_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:777:46
    #10 0x7ffa38c19a24  (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/gstrfuncs.c:1476:14 in g_strlcpy
Shadow bytes around the buggy address:
  0x12acb2f65880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65900: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x12acb2f65980: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x12acb2f65a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65a80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x12acb2f65b00: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x12acb2f65b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65c00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x12acb2f65c80: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x12acb2f65d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65d80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5472==ABORTING
=================================================================
==5472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x12acb2f65b40 at pc 0x7ffa9109cdc8 bp 0x00551e3fb3d0 sp 0x00551e3fb418
READ of size 1 at 0x12acb2f65b40 thread T-1
    #0 0x7ffa9109cdc7 in g_strlcpy /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/gstrfuncs.c:1476:14
    #1 0x7ffa9185d214 in vips_foreign_load_matrix_source_is_a_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/matrixload.c:432:2
    #2 0x7ffa9182b30a in vips_foreign_find_load_source_sub /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:747:7
    #3 0x7ffa91d53c29 in vips_slist_map2 /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/iofuncs/util.c:118:33
    #4 0x7ffa9182b139 in vips_foreign_map /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:499:11
    #5 0x7ffa9182b139 in vips_foreign_find_load_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:777:46
    #6 0x7ffa38c19a24  (<unknown module>)
0x12acb2f65b40 is located 0 bytes after 128-byte region [0x12acb2f65ac0,0x12acb2f65b40)
allocated by thread T0 here:
    #0 0x7ffa904ba636 in realloc /usr/local/mxe/tmp-compiler-rt-sanitizers-x86_64-w64-mingw32.shared.all.debug/llvm-project-20.1.5.src/compiler-rt/lib/asan/asan_malloc_win.cpp:110:3
    #1 0x7ffa91063561 in g_realloc /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/gmem.c:171:16
    #2 0x7ffa90fc6f4b in g_array_maybe_expand /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/garray.c:1074:21
    #3 0x7ffa90fc7d74 in g_array_set_size /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/garray.c:766:7
    #4 0x7ffa91cd2b56 in vips_source_sniff_at_most /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/iofuncs/source.c:1354:2
    #5 0x7ffa9185d1f0 in vips_foreign_load_matrix_source_is_a_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/matrixload.c:430:20
    #6 0x7ffa9182b30a in vips_foreign_find_load_source_sub /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:747:7
    #7 0x7ffa91d53c29 in vips_slist_map2 /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/iofuncs/util.c:118:33
    #8 0x7ffa9182b139 in vips_foreign_map /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:499:11
    #9 0x7ffa9182b139 in vips_foreign_find_load_source /var/tmp/tmp-vips-all-x86_64-w64-mingw32.shared.all.debug/libvips-libvips-8f95205.build_/../libvips-libvips-8f95205/libvips/foreign/foreign.c:777:46
    #10 0x7ffa38c19a24  (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/tmp-glib-x86_64-w64-mingw32.shared.all.debug/glib-2.85.0.build_/../glib-2.85.0/glib/gstrfuncs.c:1476:14 in g_strlcpy
Shadow bytes around the buggy address:
  0x12acb2f65880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65900: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x12acb2f65980: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x12acb2f65a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65a80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x12acb2f65b00: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x12acb2f65b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65c00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x12acb2f65c80: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x12acb2f65d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x12acb2f65d80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5472==ABORTING

This issue was detected by AddressSanitizer on Windows but not on Linux, likely due to differences in how strlcpy() is handled. On Windows, strlcpy() is not available and is emulated by GLib:

Checking for function "strlcpy" : NO

Whereas on Linux, strlcpy() is available (since glibc 2.38), but ASan likely lacks an interceptor for it (issue llvm/llvm-project#114377 could be related here).

@jcupitt jcupitt merged commit 6fb70fa into libvips:master May 29, 2025
6 checks passed
@jcupitt
Copy link
Member

jcupitt commented May 29, 2025

Yes I guess this could trigger used-before-set. Good catch.

@kleisauke kleisauke deleted the ensure-sniff-null-terminated branch May 29, 2025 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kleisauke @jcupitt