mirror of https://github.com/GNOME/gimp.git
2ba35e5b3d
We are trying to copy all bytes in the current row, which is the width times the number of bytes per pixel (stored in info->bytes), not width times bits per pixel. Copying too much data allows certain inputs to induce a heap-buffer-buffer overflow read, and probably also a write, see ASAN output below: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000008088 at pc 0x00000052be17 bp 0x7ffd8bbe8e20 sp 0x7ffd8bbe85e8 READ of size 16448 at 0x61d000008088 thread T0 #0 0x52be16 in __asan_memcpy /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 #1 0x5641ca in read_line /home/ahunt/git/gimp/plug-ins/common/file-tga.c:982:7 #2 0x560218 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1147:15 #3 0x55f526 in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:646:11 #4 0x56519b in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #7 0x462ec4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:814:7 #8 0x4630d9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fdbd277c349 in __libc_start_main (/lib64/libc.so.6+0x24349) #12 0x424a39 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 0x61d000008088 is located 0 bytes to the right of 2056-byte region [0x61d000007880,0x61d000008088) allocated by thread T0 here: #0 0x52ca8d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7fdbd37fccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 #2 0x56009b in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1134:10 #3 0x55f526 in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:646:11 #4 0x56519b in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #7 0x462ec4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:814:7 #8 0x4630d9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fdbd277c349 in __libc_start_main (/lib64/libc.so.6+0x24349) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy Shadow bytes around the buggy address: 0x0c3a7fff8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a7fff9010: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==26560==ABORTING crash-4b13aca1db7bb795a815431b86cc20284f3aa6da |
||
---|---|---|
.gitlab | ||
.vscode | ||
app | ||
app-tools | ||
build | ||
data | ||
desktop | ||
devel-docs | ||
docs | ||
etc | ||
extensions | ||
gimp-data@c23a30befe | ||
libgimp | ||
libgimpbase | ||
libgimpcolor | ||
libgimpconfig | ||
libgimpmath | ||
libgimpmodule | ||
libgimpthumb | ||
libgimpwidgets | ||
menus | ||
modules | ||
pdb | ||
plug-ins | ||
po | ||
po-libgimp | ||
po-plug-ins | ||
po-python | ||
po-script-fu | ||
po-tags | ||
po-tips | ||
po-windows-installer | ||
themes | ||
tools | ||
.clang-format | ||
.dir-locals.el | ||
.gitignore | ||
.gitlab-ci.yml | ||
.gitmodules | ||
.kateconfig | ||
AUTHORS | ||
COPYING | ||
ChangeLog.pre-1-0 | ||
ChangeLog.pre-1-2 | ||
ChangeLog.pre-2-0 | ||
ChangeLog.pre-2-2 | ||
ChangeLog.pre-2-4 | ||
ChangeLog.pre-2-6 | ||
ChangeLog.pre-git | ||
INSTALL.in | ||
LICENSE | ||
MAINTAINERS | ||
NEWS | ||
NEWS.pre-2-0 | ||
NEWS.pre-2-2 | ||
NEWS.pre-2-4 | ||
NEWS.pre-2-6 | ||
NEWS.pre-2-8 | ||
NEWS.pre-2-10 | ||
README | ||
README.i18n | ||
authors.dtd | ||
authors.xml | ||
authors.xsl | ||
authors4gimp-web.xsl | ||
gimp.doap | ||
meson.build | ||
meson_dist_script.sh | ||
meson_install_win_debug.sh | ||
meson_options.txt |
README
------------------------------ GNU Image Manipulation Program 2.99 Development Branch ------------------------------ This is an unstable development release, an intermediate state on the way to the next stable release: GIMP 3.0. GIMP 2.99 may or may not do what you expect. Save your work early and often. If you want a stable version, please use GIMP 2.10 instead. If you think you found a bug in this version, please make sure that it hasn't been reported earlier and that it is not just new stuff that is still being worked on and obviously not quite finished yet. If you want to hack on GIMP, please read the file devel-docs/README.md. For detailed installation instructions, see the file INSTALL. 1. Web Resources ================ GIMP's home page is at: https://www.gimp.org/ Please be sure to visit this site for information, documentation, tutorials, news, etc. All things GIMP-ish are available from there. The latest version of GIMP can be found at: https://www.gimp.org/downloads/ We also have a website dedicated to documentation at: https://docs.gimp.org/ 2. Contributing =============== GIMP source code can be found at: https://gitlab.gnome.org/GNOME/gimp/ Resources for contributors: https://developer.gimp.org/ In particular, you may want to look in the "Core Development" section. Some articles of particular interest for newcomers could be: * Setting up your developer environment: https://developer.gimp.org/core/setup/ * GIMP Coding Style: https://developer.gimp.org/core/coding_style/ * Submit your first patch: https://developer.gimp.org/core/submit-patch/ 3. Discussion Channels ====================== We have several discussion channels dedicated to GIMP user and development discussion. There is more info at: https://www.gimp.org/discuss.html For the real junkies, there are IRC channels (e.g. #gimp or #gimp-user) devoted to GIMP on GIMPNet (a private free software oriented network). Many of the developers hang out there. Some of the GIMPNet servers are: irc.gimp.org:6667 irc.us.gimp.org:6667 irc.eu.gimp.org:6667 More discussion channels, such as forums, will be listed on the above "discuss" page when they are moderated by a team member. Links to archives of former discussion methods (e.g. mailing lists) are also included in that page. 4. Customizing ============== The look of GIMP's interface can be customized like any other GTK+ app by editing files in `${XDG_CONFIG_HOME}/gtk-3.0/` (settings.ini and gtk.css in particular) or by using "themes" (ready-made customizations). Additionally, GIMP reads `${XDG_CONFIG_HOME}/GIMP/2.99/gimp.css` so you can have settings that only apply to GIMP. You can also manually change the keybindings to any of your choice by editing: `${XDG_CONFIG_HOME}/GIMP/2.99/shortcutsrc`. Have fun, Spencer Kimball Peter Mattis Federico Mena Manish Singh Sven Neumann Michael Natterer Dave Neary Martin Nordholts Jehan