dvipng crash in stringrgb function

Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

dvipng crash in stringrgb function

Ahzo
Hi,

When dvipng is given an invalid foreground color, it crashes:
$ dvipng -fg
This is dvipng 1.15 Copyright 2002-2015 Jan-Ake Larsson
Segmentation fault (core dumped)

A possible fix is to make sure tmp is not NULL, when trying to access tmp->name:
--- a/color.c
+++ b/color.c
@@ -355,7 +355,7 @@ void stringrgb(const char* color,int *r,int *g,int *b)
         tmp=tmp->next;
       }
     }
-    if (strcmp(color,tmp->name)==0) {
+    if (tmp!=NULL && strcmp(color,tmp->name)==0) {
       /* Found: one-level recursion */
       DEBUG_PRINT(DEBUG_COLOR,("\n    ---RECURSION--- "))
       stringrgb(tmp->color,r,g,b);

Best,
Ahzo

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng
Reply | Threaded
Open this post in threaded view
|

Re: dvipng crash in stringrgb function

Jan-Åke Larsson-2

Thanks, this will be in the next version.

/JÅ

On 2019-06-27 20:25, Ahzo wrote:
Hi,

When dvipng is given an invalid foreground color, it crashes:
$ dvipng -fg
This is dvipng 1.15 Copyright 2002-2015 Jan-Ake Larsson
Segmentation fault (core dumped)

A possible fix is to make sure tmp is not NULL, when trying to access tmp->name:
--- a/color.c
+++ b/color.c
@@ -355,7 +355,7 @@ void stringrgb(const char* color,int *r,int *g,int *b)
         tmp=tmp->next;
       }
     }
-    if (strcmp(color,tmp->name)==0) {
+    if (tmp!=NULL && strcmp(color,tmp->name)==0) {
       /* Found: one-level recursion */
       DEBUG_PRINT(DEBUG_COLOR,("\n    ---RECURSION--- "))
       stringrgb(tmp->color,r,g,b);

Best,
Ahzo

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng
--
Jan-Åke Larsson
Professor, Head of Department


Linköping University
Department of Electrical Engineering
SE-581 83 Linköping
Phone: +46 (0)13-28 14 68
Mobile: +46 (0)13-28 14 68
Visiting address: Campus Valla, House B, Entr 27, 3A:482
Please visit us at www.liu.se

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dvipng crash in stringrgb function

Jan-Åke Larsson-2

Actually, the test should be

   if (tmp!=NULL) {
Thanks again

/JÅ


On 2019-06-27 22:13, Jan-Åke Larsson wrote:

Thanks, this will be in the next version.

/JÅ

On 2019-06-27 20:25, Ahzo wrote:
Hi,

When dvipng is given an invalid foreground color, it crashes:
$ dvipng -fg
This is dvipng 1.15 Copyright 2002-2015 Jan-Ake Larsson
Segmentation fault (core dumped)

A possible fix is to make sure tmp is not NULL, when trying to access tmp->name:
--- a/color.c
+++ b/color.c
@@ -355,7 +355,7 @@ void stringrgb(const char* color,int *r,int *g,int *b)
         tmp=tmp->next;
       }
     }
-    if (strcmp(color,tmp->name)==0) {
+    if (tmp!=NULL && strcmp(color,tmp->name)==0) {
       /* Found: one-level recursion */
       DEBUG_PRINT(DEBUG_COLOR,("\n    ---RECURSION--- "))
       stringrgb(tmp->color,r,g,b);

Best,
Ahzo

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng
--
Jan-Åke Larsson
Professor, Head of Department


Linköping University
Department of Electrical Engineering
SE-581 83 Linköping
Phone: +46 (0)13-28 14 68
Mobile: +46 (0)13-28 14 68
Visiting address: Campus Valla, House B, Entr 27, 3A:482
Please visit us at www.liu.se

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng
--
Jan-Åke Larsson
Professor, Head of Department


Linköping University
Department of Electrical Engineering
SE-581 83 Linköping
Phone: +46 (0)13-28 14 68
Mobile: +46 (0)13-28 14 68
Visiting address: Campus Valla, House B, Entr 27, 3A:482
Please visit us at www.liu.se

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dvipng crash in stringrgb function

Ahzo
Hi,

Thanks for your quick reply!

Unfortunately, when I tried to built from current git HEAD, autoreconf failed:
$ autoreconf
/usr/bin/m4:acinclude.m4:295: ERROR: end of file in string
autom4te: /usr/bin/m4 failed with exit status: 1
aclocal: error: echo failed with exit status: 1
autoreconf: aclocal failed with exit status: 1

It seems commit 980ba1d broke acinclude.m4. Restoring it to the previous state lets autoreconf succeed again.
Thus I can confirm that the stringrgb crash is now fixed.

However, I found another crash:
$ dvipng -pp- -
This is dvipng 1.15 Copyright 2002-2015 Jan-Ake Larsson

Usage: dvipng [OPTION]... FILENAME[.dvi]
[...]
   # = number   f = file   s = string  * = suffix, '0' to turn off
       c = comma-separated dimension pair (e.g., 3.2in,-32.1cm)

Segmentation fault


This can be avoided by validating the dvi pointer, before trying to access it:
--- a/draw.c
+++ b/draw.c
@@ -313,11 +313,12 @@ static void DrawPage(dviunits hoffset, dviunits voffset)

void DrawPages(void)
{
-  struct page_list *dvi_pos;
+  struct page_list *dvi_pos = NULL;
   pixels x_width,y_width,x_offset,y_offset;
   int pagecounter=(option_flags & DVI_PAGENUM)?0:10;

-  dvi_pos=NextPPage(dvi,NULL);
+  if (dvi!=NULL)
+    dvi_pos=NextPPage(dvi,NULL);
   if (dvi_pos!=NULL) {
     while(dvi_pos!=NULL) {
       SeekPage(dvi,dvi_pos);

Best,
Ahzo


_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng
Reply | Threaded
Open this post in threaded view
|

Re: dvipng crash in stringrgb function

Jan-Åke Larsson-2

Thanks again. I'd rather do the test earlier in the code.

What is your name, so I can add you to the Credits?

/JÅ

On 2019-06-28 23:34, Ahzo wrote:
Hi,

Thanks for your quick reply!

Unfortunately, when I tried to built from current git HEAD, autoreconf failed:
$ autoreconf
/usr/bin/m4:acinclude.m4:295: ERROR: end of file in string
autom4te: /usr/bin/m4 failed with exit status: 1
aclocal: error: echo failed with exit status: 1
autoreconf: aclocal failed with exit status: 1

It seems commit 980ba1d broke acinclude.m4. Restoring it to the previous state lets autoreconf succeed again.
Thus I can confirm that the stringrgb crash is now fixed.

However, I found another crash:
$ dvipng -pp- -
This is dvipng 1.15 Copyright 2002-2015 Jan-Ake Larsson

Usage: dvipng [OPTION]... FILENAME[.dvi]
[...]
   # = number   f = file   s = string  * = suffix, '0' to turn off
       c = comma-separated dimension pair (e.g., 3.2in,-32.1cm)

Segmentation fault


This can be avoided by validating the dvi pointer, before trying to access it:
--- a/draw.c
+++ b/draw.c
@@ -313,11 +313,12 @@ static void DrawPage(dviunits hoffset, dviunits voffset)

void DrawPages(void)
{
-  struct page_list *dvi_pos;
+  struct page_list *dvi_pos = NULL;
   pixels x_width,y_width,x_offset,y_offset;
   int pagecounter=(option_flags & DVI_PAGENUM)?0:10;

-  dvi_pos=NextPPage(dvi,NULL);
+  if (dvi!=NULL)
+    dvi_pos=NextPPage(dvi,NULL);
   if (dvi_pos!=NULL) {
     while(dvi_pos!=NULL) {
       SeekPage(dvi,dvi_pos);

Best,
Ahzo


_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng
--
Jan-Åke Larsson
Professor, Head of Department


Linköping University
Department of Electrical Engineering
SE-581 83 Linköping
Phone: +46 (0)13-28 14 68
Mobile: +46 (0)13-28 14 68
Visiting address: Campus Valla, House B, Entr 27, 3A:482
Please visit us at www.liu.se

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dvipng crash in stringrgb function

Ahzo
Hi,

Thanks for fixing the second crash, as well.

There's a third (and probably last) issue I've found with dvipng's handling of command-line parameters.
The problem can be reproduced as follows:
$ dvipng - --gamma 0.5
This is dvipng 1.15 Copyright 2002-2015 Jan-Ake Larsson
Segmentation fault

This is caused by a wrong format identifier for printf, using %s instead of %f for gamma, which is a double. The fix is simply:
--- a/misc.c
+++ b/misc.c
@@ -351,7 +351,7 @@ bool DecodeArgs(int argc, char ** argv)
            gamma=DEFAULT_GAMMA;
          }
          Gamma(gamma);
-         Message(PARSE_STDIN,"Gamma value is %s\n", gamma);
+         Message(PARSE_STDIN,"Gamma value is %f\n", gamma);
          break;
#ifdef HAVE_GDIMAGEGIF
        } else if (strncmp(p,"if",2)==0) { /* --gif output */

If you want to give credit, mentioning Ahzo is sufficient.

Best,
Ahzo

_______________________________________________
Dvipng mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dvipng