[Debian-astro-maintainers] Bug#914454: dcraw-9.27-1 : invalid memory write crash in canon_rmf_load_raw()

Jaeseung Choi jschoi.2022 at gmail.com
Fri Nov 23 15:43:14 GMT 2018 

Package: dcraw
Version: 9.27-1+b1
Severity: normal

Dear Maintainer,

Running dcraw-9.27 the attached input file raises a crash caused by invalid
memory write in canon_rmf_load_raw().

First, below is the GDB log that shows crash from dcraw-9.27 binary
downloaded with 'apt-get'.
----------------------------------------------------------------------------------------

jason at debian-amd64-stretch:~/dcraw-crashes$ gdb -q dcraw
Reading symbols from dcraw...(no debugging symbols found)...done.
(gdb) run crash-30_00070116
Starting program: /usr/bin/dcraw crash-30_00070116
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000055555555f4bc in ?? ()
(gdb) x/i $rip
=> 0x55555555f4bc:      mov    %si,(%r8,%rdx,2)
(gdb) info reg r8 rdx rsi
r8             0x7ffe7d583010   140731001352208
rdx            0xffffffffbccf917a       -1127247494
rsi            0xffff   65535

-------------------------------------------------------------------------------------

Since the downloaded binary did not have any symbol information, we
downloaded its code and compiled it with AddressSanitizer.
While AddressSanitizer failed to identify the root cause of the bug, it
reported an invalid memory access error in canon_rmf_load_raw(), as below.
-------------------------------------------------------------------------------------

ASAN:DEADLYSIGNAL
=================================================================
==5095==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffdf45e5af4 (pc
0x000000513322 bp 0x7fffffffda90 sp 0x7fffffffda20 T0)
    #0 0x513321 in canon_rmf_load_raw
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:1999:17
    #1 0x5bc6e6 in main
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:10150:10
    #2 0x7ffff6a3582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x4196c8 in _start (/home/jason/Chatkey/replay_box/dcraw+0x4196c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:1999:17 in
canon_rmf_load_raw
==5095==ABORTING
-------------------------------------------------------------------------------------


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default
locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dcraw depends on:
ii  libc6            2.24-11+deb9u3
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2       2.8-4

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  <none>
ii  netpbm   2:10.0-15.3+b2

-- debconf information excluded
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-astro-maintainers/attachments/20181124/2bcbd000/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash-30_00070116
Type: application/octet-stream
Size: 16414 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-astro-maintainers/attachments/20181124/2bcbd000/attachment-0001.obj>

More information about the Debian-astro-maintainers mailing list