mlv_dump: Fix segfault while writing DNGs

#944 Merged at 8f3d2df
Repository
thenickdude
Branch
crop_rec_4k_mlv_snd
Repository
hudson
Branch
crop_rec_4k_mlv_snd
Author
  1. Nicholas Sherlock
Reviewers
Description

Fixes this segfault which was caused by dng_pack_image_bits writing 2 bytes beyond the end of its destination buffer:

Thread 2 received signal SIGSEGV, Segmentation fault.
dng_unpack_image_bits (input_buffer=0x10a2d5000, output_buffer=0x10c000000, max_size=<optimized out>,
    bpp=14) at dng/dng.c:739
739         uint32_t uncorrected_data = *((uint32_t *)&packed_bits[bits_address]);

Valgrind output:

==17989== Invalid write of size 4
==17989==    at 0x100010313: dng_save (dng.c:772)
==17989==    by 0x10000932D: main (mlv_dump.c:3632)
==17989==  Address 0x10d11103e is 22,020,094 bytes inside a block of size 22,020,096 alloc'd
==17989==    at 0x100723A36: malloc (vg_replace_malloc.c:302)
==17989==    by 0x10000FD75: dng_init_data (dng.c:823)
==17989==    by 0x1000084C6: main (mlv_dump.c:3486)

Comments (3)

  1. bouncyball

    Yeah… I’ve been aware for some while now of this 4byte illegal write issue. It’s just how my bitpacker func works, needs extra 4bytes at the end (uses 32bit word as a working buffer and operates with 16bit raw data).

    I always use the larger buffers in mlvapp when using this packer. Forgot to correct this in mlv_dump compelety.

    Thank you!

    1. Alex

      Ha, thanks for the reminder, I was wondering where that error comes from.

      I did look for PRs to crop_rec_4k yesterday, but… I think I need to sharpen my search skills (and time management, too, but that’s another story).