This bug was fixed in the package libgdiplus -
2.11+git20131008.9732566-5ubuntu1
---------------
libgdiplus (2.11+git20131008.9732566-5ubuntu1) trusty; urgency=low
* Merge from Debian unstable. Remaining changes:
- ppc64el support:
+ Build using dh-autoreconf
+ Build for ppc64el
+ Link tests with -lm
libgdiplus (2.11+git20131008.9732566-5) unstable; urgency=low
* [5e251c5] Ensure PNG transparency values are initialized. Thanks to
Tom Hindle (LP: #1296786) (Closes: #741980)
-- Christopher James Halse Rogers <r...@ubuntu.com> Wed, 02 Apr 2014
11:03:42 +1100
** Changed in: libgdiplus (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libgdiplus in Ubuntu.
https://bugs.launchpad.net/bugs/1296786
Title:
Use of Uninitialized variable, when loading certain png files.
Status in “libgdiplus” package in Ubuntu:
Fix Released
Bug description:
Png details that causes this crash:
Find Dictionary.png...
Image Width: 16 Image Length: 16
Bitdepth (Bits/Sample): 8
Channels (Samples/Pixel): 1
Pixel depth (Pixel Depth): 8
Colour Type (Photometric Interpretation): PALETTED COLOUR with alpha (256
colours, 1 transparent)
Image filter: Single row per byte filter
Interlacing: No interlacing
Compression Scheme: Deflate method 8, 32k window
Resolution: 2834, 2834 (pixels per meter)
FillOrder: msb-to-lsb
Byte Order: Network (Big Endian)
Number of text strings: 0 of 0
Problem code is:
File: pngcode.c
Function: gdip_load_png_image_from_file_or_stream
Problem: use of a call to png_get_tRNS without checking return value.
For this png return value is 0 (fail), and this causes use of a uninitialized
variables trans_color and num_trans.
This causes seg fault if trans_color or num_trans. happen to be certian
values.
I will a minimal test case that can be build using mono.
I will also attach a suggested patch, that checks return value of
png_get_tRNS, and doesn't attempt to use unitilized variables.
StackTrace looks like this:
at <unknown> <0xffffffff>
at (wrapper managed-to-native)
System.Drawing.GDIPlus.GdipLoadImageFromDelegate_linux
(System.Drawing.GDIPlus/StreamGetHeaderDelegate,System.Drawing.GDIPlus/StreamGetBytesDelegate,System.Drawing.GDIPlus/StreamPutBytesDelegate,System.Drawing.GDIPlus/StreamSeekDelegate,System.Drawing.GDIPlus/StreamCloseDelegate,System.Drawing.GDIPlus/StreamSizeDelegate,intptr&)
<0xffffffff>
at System.Drawing.Image.InitFromStream (System.IO.Stream) <0x001b3>
at System.Drawing.Image..ctor
(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext)
<0x0010f>
at System.Drawing.Bitmap..ctor
(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext)
<0x0002f>
at (wrapper runtime-invoke)
<Module>.runtime_invoke_void__this___object_StreamingContext
(object,intptr,intptr,intptr) <0xffffffff>
at <unknown> <0xffffffff>
at (wrapper managed-to-native) System.Reflection.MonoCMethod.InternalInvoke
(System.Reflection.MonoCMethod,object,object[],System.Exception&) <0xffffffff>
at System.Reflection.MonoCMethod.InternalInvoke (object,object[]) <0x0003f>
at System.Reflection.MonoCMethod.DoInvoke
(object,System.Reflection.BindingFlags,System.Reflection.Binder,object[],System.Globalization.CultureInfo)
<0x00103>
at System.Reflection.MonoCMethod.Invoke
(object,System.Reflection.BindingFlags,System.Reflection.Binder,object[],System.Globalization.CultureInfo)
<0x00083>
at System.Reflection.MethodBase.Invoke (object,object[]) <0x00032>
at System.Runtime.Serialization.ObjectRecord.LoadData
(System.Runtime.Serialization.ObjectManager,System.Runtime.Serialization.ISurrogateSelector,System.Runtime.Serialization.StreamingContext)
<0x002ff>
at System.Runtime.Serialization.ObjectManager.DoFixups () <0x0015f>
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ReadNextObject
(System.IO.BinaryReader) <0x00051>
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ReadObjectGraph
(System.Runtime.Serialization.Formatters.Binary.BinaryElement,System.IO.BinaryReader,bool,object&,System.Runtime.Remoting.Messaging.Header[]&)
<0x0010b>
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.NoCheckDeserialize
(System.IO.Stream,System.Runtime.Remoting.Messaging.HeaderHandler) <0x00143>
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize
(System.IO.Stream) <0x0001f>
at System.Resources.ResourceReader.ReadNonPredefinedValue (System.Type)
<0x0003f>
at System.Resources.ResourceReader.ReadValueVer2 (int) <0x00443>
at System.Resources.ResourceReader.LoadResourceValues
(System.Resources.ResourceReader/ResourceCacheItem[]) <0x0021f>
at System.Resources.ResourceReader/ResourceEnumerator.FillCache () <0x0009b>
at System.Resources.ResourceReader/ResourceEnumerator..ctor
(System.Resources.ResourceReader) <0x00053>
at System.Resources.ResourceReader.GetEnumerator () <0x00033>
at System.Resources.ResourceSet.ReadResources () <0x0008d>
at System.Resources.ResourceSet.GetObjectInternal (string,bool) <0x0006b>
at System.Resources.ResourceSet.GetObject (string,bool) <0x00027>
at System.Resources.RuntimeResourceSet.GetObject (string,bool) <0x00033>
at System.Resources.ResourceManager.GetObject
(string,System.Globalization.CultureInfo) <0x000a1>
at PngTest.MainClass.Main (string[]) <0x0007c>
at (wrapper runtime-invoke) <Module>.runtime_invoke_void_object
(object,intptr,intptr,intptr) <0xffffffff>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgdiplus/+bug/1296786/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
