[Pkg-phototools-devel] Bug#773967: feh crashes on invalid gif image data

Jussi Judin jjudin+debian at iki.fi
Fri Dec 26 10:53:08 UTC 2014 

Package: feh
Version: 2.12-1
Severity: important

Feh crashes with segmentation fault when given an invalid gif image in
a mode that should help determining if the image can be displayed (-U
command line argument). I did run feh on a afl[1]-generated image test
sets[2] to figure out if any specific images cause problems for
feh. If you try feh with following command line parameters on the
attached image, you should see a segmentation fault:

$ feh -U id:000293,src:000000,op:havoc,rep:4.gif
Segmentation fault

I don't know if this opens a security issue, but every segmentation
fault has a potential for it.

Here is a gdb backtrace of the segmentation fault:

(gdb) run -U id:000293,src:000000,op:havoc,rep:4.gif
Starting program: /usr/bin/feh -U id:000293,src:000000,op:havoc,rep:4.gif
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff0023d3c in load () from /usr/lib/x86_64-linux-gnu/imlib2/loaders/gif.so
(gdb) bt
#0  0x00007ffff0023d3c in load () from /usr/lib/x86_64-linux-gnu/imlib2/loaders/gif.so
#1  0x00007ffff6c7188f in ?? () from /usr/lib/x86_64-linux-gnu/libImlib2.so.1
#2  0x00007ffff6c55d3b in imlib_load_image_with_error_return () from /usr/lib/x86_64-linux-gnu/libImlib2.so.1
#3  0x0000555555561930 in ?? ()
#4  0x0000555555567925 in ?? ()
#5  0x00005555555679af in ?? ()
#6  0x000055555555afdc in ?? ()
#7  0x00007ffff68c5b45 in __libc_start_main (main=0x55555555af00, argc=3, argv=0x7fffffffdfe8, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdfd8)
    at libc-start.c:287
#8  0x000055555555b035 in ?? ()

[1]: American fuzzy lop - a security-oriented fuzzer:
     http://lcamtuf.coredump.cx/afl/
[2]: Afl-generated, minimized image test sets:
     http://lcamtuf.coredump.cx/afl/demo/

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (100, 'unstable'), (99, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages feh depends on:
ii  libc6         2.19-13
ii  libcurl3      7.38.0-3
ii  libexif12     0.6.21-2
ii  libimlib2     1.4.6-2+b3
ii  libpng12-0    1.2.50-2+b2
ii  libx11-6      2:1.6.2-3
ii  libxinerama1  2:1.1.3-1+b1

Versions of packages feh recommends:
ii  libjpeg-progs  1:9a-2

feh suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: id:000293,src:000000,op:havoc,rep:4.gif
Type: image/gif
Size: 287 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-phototools-devel/attachments/20141226/c8676653/attachment.gif>

More information about the Pkg-phototools-devel mailing list