Bug#992871: darkplaces: Segfault when using custom texturepack

Bernhard Übelacker bernhardu at mailbox.org
Sat Sep 18 10:59:20 BST 2021 

Dear Maintainer,
I tried to have a look at this crash.

For some reason libpng uses an setjmp/longjmp approach to
deliver failure in its functions.

This happens for three entries in the "Rygel's 2.7GB ultra pack".

Unfortunately gcc relies on having the pointer in variable
"imagedata" in register $r12 during the call to png_read_end.
At the begin of the call to png_read_end this
register is stored to the stack.

But after the setjmp/longjmp "magic" the register is not restored
to the expected value of variable "imagedata".
Additionally after the error, as far as I see, the function
qpng_setjmp/my_setjmp returns 0, therefore it is not left
and continues operating on $r12 expecting it to hold the pointer
to variable "imagedata".

I wonder why PNG_LoadImage_BGRA has a completely different
setjmp handling than PNG_SaveImage_preflipped some lines below.

The only kind of workaround I found so far is to force gcc
to compile PNG_LoadImage_BGRA without optimizing, like in
attached patch. With this it does not crash, but I have not
further "tested" much ;-)

Kind regards,
Bernhard



(rr) bt
#0  ____longjmp_chk () at ../sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S:81
#1  0x00007fcb9d5b34ce in __longjmp_chk (env=0x55ac028b7e40, val=<optimized out>) at ../setjmp/longjmp.c:39
#2  0x00007fcb9daa0a6f in png_longjmp (png_ptr=<optimized out>, val=<optimized out>) at pngerror.c:763
#3  0x00007fcb9daa0ae5 in png_default_error (error_message=0x7fff4c34f870 "CVf\235\313\177", png_ptr=0x55ac028b7e40) at pngerror.c:754
#4  png_error (png_ptr=png_ptr at entry=0x55ac028b7e40, error_message=error_message at entry=0x7fff4c34f970 "[00][00][00][00]: invalid chunk type") at pngerror.c:88
#5  0x00007fcb9daa0b74 in png_chunk_error (png_ptr=0x55ac028b7e40, error_message=error_message at entry=0x7fcb9dac3b5a "invalid chunk type") at pngerror.c:490
#6  0x00007fcb9dab3e22 in png_check_chunk_name (png_ptr=png_ptr at entry=0x55ac028b7e40, chunk_name=<optimized out>) at pngrutil.c:3324
#7  0x00007fcb9dab3f96 in png_read_chunk_header (png_ptr=png_ptr at entry=0x55ac028b7e40) at pngrutil.c:182
#8  0x00007fcb9daa8590 in png_read_end (info_ptr=0x55ac01432ee0, png_ptr=0x55ac028b7e40) at pngread.c:874
#9  png_read_end (png_ptr=0x55ac028b7e40, info_ptr=0x55ac01432ee0) at pngread.c:846
#10 0x000055abff671821 in PNG_LoadImage_BGRA (raw=0x55ac0288c840 "\211PNG\r\n\032\n", filesize=3545, miplevel=<optimized out>) at ../../../image_png.c:524
#11 0x000055abff66d862 in loadimagepixelsbgra (filename=filename at entry=0x55ac0033fc2c <cachepics+17644> "gfx/sb_invis", complain=complain at entry=false, allowFixtrans=allowFixtrans at entry=true, convertsRGB=convertsRGB at entry=false, miplevel=miplevel at entry=0x7fff4c352448) at ../../../image.c:1092
#12 0x000055abff63379f in R_SkinFrame_LoadExternal_SkinFrame (skinframe=0x0, name=name at entry=0x55ac0033fc2c <cachepics+17644> "gfx/sb_invis", textureflags=textureflags at entry=-2147483615, complain=false, fallbacknotexture=true) at ../../../gl_rmain.c:2276
#13 0x000055abff634c36 in R_SkinFrame_LoadExternal (name=name at entry=0x55ac0033fc2c <cachepics+17644> "gfx/sb_invis", textureflags=textureflags at entry=-2147483615, complain=<optimized out>, fallbacknotexture=<optimized out>) at ../../../gl_rmain.c:2247
...

More information about the Pkg-games-devel mailing list