Crash in decoding RLE4 bitmaps in intfgraphics.pas

Original Reporter info from Mantis: BugTrack

• Reporter name: Andre Scholberg

Description:

I get a SIGSEGV exception when loading certain images in:
intfgraphics.pas, line 4990. package LCLBase.

The error occurs both in my own app and in the otherwise excellent image viewer example application (imgview).

I am loading playing cards in a card game. Some load OK, many do not.

This freezes attempts to convert my D7 app to Lazarus.

Steps to reproduce:

Compile and run the image viewer application.
Try opening the bitmaps of playing cards in the attached zip file:
H02.bmp, C04.bmp do not load and produce the error.
D13.bmp is loaded correctly (no error).

Additional information:

The bug was reported in the Graphics forum. One answer was:

Quote
Had a bit of the same problem a few years ago.
I changed my images to PNG and everything was
working again, so i never looked at the problem ?
Maybe it was just lucky
Unquote.

Mantis conversion info:

• Mantis ID: 25366
• OS: Windows
• OS Build: 7
• Build: 1.0.14
• Platform: 64 bits
• Version: 1.0.10
• Fixed in version: 1.3 (SVN)
• Fixed in revision: r43497 (#29108eb5)
• Monitored by: » BugTrack (Andre Scholberg), » BigChimp (Reinier Olislagers), » @flyingsheep (Bart Broersma)
• Target version: 1.2.0RC2

assigned to @mweustink

added CategoryLCL TargetVersion1.2.0RC2 Version1.0.10 labels

changed milestone to %Version 1.4

Converted from Mantis. Note by Reinier Olislagers

• Mantis submitter username: BigChimp
• Mantis submitter real name: Reinier Olislagers

---

"Compile and run the image viewer application." assuming he means $(lazarusdir)\examples\imgviewer

Tried on FPC trunk x86, Laz trunk, Win, opening the directory; SIGSEGV at 5239, in this line:
LineBuf[idx+1] := LineBuf[idx+1] shl 4;

#0 DORLE4(0x218f284) at intfgraphics.pas:5239
#1 TLAZREADERDIB__READSCANLINE(88, <error reading variable>) at intfgraphics.pas:5297
#2 TLAZREADERDIB__INTERNALREADBODY(<error reading variable>) at intfgraphics.pas:5895
#3 TLAZREADERDIB__INTERNALREAD(0x22cf860, 0x232e9a0, <error reading variable>) at intfgraphics.pas:5593
#4 FPIMAGE$_$TFPCUSTOMIMAGEREADER_$__$$_IMAGEREAD$TSTREAM$TFPCUSTOMIMAGE$$TFPCUSTOMIMAGE at :0
#5 TFPIMAGEBITMAP__READSTREAM(0x22cf860, 1822, <error reading variable>) at .\include\fpimagebitmap.inc:141
#6 TRASTERIMAGE__LOADFROMSTREAM(0x22e66d0, 1822, <error reading variable>) at .\include\rasterimage.inc:441
#7 TBITMAP__LOADFROMSTREAM(0x22e66d0, 1822, <error reading variable>) at .\include\bitmap.inc:147
#8 TRASTERIMAGE__LOADFROMSTREAM(0x22e66d0, <error reading variable>) at .\include\rasterimage.inc:417
#9 TPICTURE__LOADFROMSTREAMWITHCLASS(0x22e66d0, <incomplete type>, <error reading variable>) at .\include\picture.inc:771
#10 TPICTURE__LOADFROMSTREAMWITHFILEEXT(0x22e66d0, 0x22d2dcc '&'#215, <error reading variable>) at .\include\picture.inc:652
#11 TPICTURE__LOADFROMFILE(0x22deefc 'C'#165#196'6'#247#5#199'E'#196'3'#3'B'#230'&'#215, <error reading variable>) at .\include\picture.inc:518
#12 TMAINFORM__SHOWFILE(0, <error reading variable>) at frmmain.pas:180
#13 TMAINFORM__ADDFILE(0x22beeec 'D:\Cop\t\C04.bmp', true, <error reading variable>) at frmmain.pas:159
#14 TMAINFORM__ADDDIR(0x22cf72c 'C'#165#196'6'#247#5#199'E'#192#6'p', false, <error reading variable>) at frmmain.pas:243
#15 TMAINFORM__AOPENDIREXECUTE(0x2375260, <error reading variable>) at frmmain.pas:220
#16 CLASSES$_$TBASICACTION_$__$$_EXECUTE$$BOOLEAN at :0
#17 TCONTAINEDACTION__EXECUTE(<error reading variable>) at .\include\containedaction.inc:98
#18 TCUSTOMACTION__EXECUTE(<error reading variable>) at .\include\customaction.inc:246
#19 CLASSES$_$TBASICACTIONLINK_$__$$_EXECUTE$TCOMPONENT$$BOOLEAN at :0
#20 TMENUITEM__CLICK(<error reading variable>) at .\include\menuitem.inc:87
#21 TMENUITEM__DOCLICKED(void, <error reading variable>) at .\include\menuitem.inc:282
#22 SYSTEM$_$TOBJECT_$__$$_DISPATCH$formal at :0
#23 VMT_$MENUS_$$_TMENU at :0
#24 ?? at :0
#25 ?? at :0
#26 ?? at :0
#27 CUSTOMFORMWNDPROC(10749032, 273, 3, 0) at .\win32\win32wsforms.pp:395
#28 USER32!OffsetRect at :0
#29 ?? at :0
#30 USER32!IsWindow at :0
#31 ADJUSTFORMBOUNDS at .\win32\win32wsforms.pp:316
#32 USER32!AnyPopup at :0
#33 ?? at :0

Converted from Mantis. Note by Bart Broersma @flyingsheep

• Mantis submitter username: Bart @flyingsheep
• Mantis submitter real name: Bart Broersma

---

Lazarus 1.3 r43475 FPC 2.6.2 i386-win32-win32/win64 32-bit fpc on Win7-64

Only D13.bmp opens.
Attempts to open any of the other bmp's freezes the $(lazarusdir)\examples\imgviewer application and Windows will kill it.

Running it in gdb and trying to open "C04.bmp" gives:

C:\devel\lazarus\examples\imgviewer>gdb imgviewer
GNU gdb (GDB) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later &LtPos;http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "mingw32".
For bug reporting instructions, please see:
&LtPos;http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from C:\devel\lazarus\examples\imgviewer/imgviewer.exe...done.
(gdb) run
Starting program: C:\devel\lazarus\examples\imgviewer/imgviewer.exe
[New Thread 1072.0x15d8] //Press Ctrl+O to open file
[New Thread 1072.0x1380]
[New Thread 1072.0xe9c]
[New Thread 1072.0xb2c]
[New Thread 1072.0x1298]
[New Thread 1072.0x150c]
[New Thread 1072.0xfb4]
[New Thread 1072.0xbcc]
[New Thread 1072.0x4a0]
[New Thread 1072.0xe14]
[New Thread 1072.0x13a8]
[New Thread 1072.0x1694]
[New Thread 1072.0x16a8]
[New Thread 1072.0x780]
[New Thread 1072.0x117c]
[New Thread 1072.0x2e0]
[New Thread 1072.0xd58]
[New Thread 1072.0x944]
[New Thread 1072.0x171c]
[New Thread 1072.0xd4c]
[New Thread 1072.0x1388]
BFD: C:\Windows\SysWOW64\WMVCORE.DLL: Warning: Ignoring section flag IMAGE_SCN_M
EM_NOT_PAGED in section .reloc
//At this point the Windows OpenDialog has appeared

[New Thread 1072.0xbf0] //click on a file in the Open dialog
[New Thread 1072.0x15dc]

//Now I have selected the file and clicked OK

Program received signal SIGSEGV, Segmentation fault.
0x0045e6a6 in DORLE4 (parentfp=0x219f360) at intfgraphics.pas:5239
5239                  LineBuf[idx+1] := LineBuf[idx+1] shl 4;
(gdb) bt
#0  0x0045e6a6 in DORLE4 (parentfp=0x219f360) at intfgraphics.pas:5239
#1  0x0045e395 in TLAZREADERDIB__READSCANLINE (ROW=88,
    this=<error reading variable>) at intfgraphics.pas:5297
#2  0x0045ff63 in TLAZREADERDIB__INTERNALREADBODY (
    this=<error reading variable>) at intfgraphics.pas:5895
#3  0x0045f5b8 in TLAZREADERDIB__INTERNALREAD (STREAM=0x23507d0,
    IMG=0x23be760, this=<error reading variable>) at intfgraphics.pas:5593
#4  0x0044f561 in FPIMAGE_TFPCUSTOMIMAGEREADER_$__IMAGEREAD$TSTREAM$TFPCUSTOMIMA
GE$$TFPCUSTOMIMAGE ()
#5  0x0049e665 in TFPIMAGEBITMAP__READSTREAM (ASTREAM=0x23507d0, ASIZE=1822,
    this=<error reading variable>) at ./include/fpimagebitmap.inc:141
#6  0x0048ee6e in TRASTERIMAGE__LOADFROMSTREAM (ASTREAM=0x240aaa0,
    ASIZE=1822, this=<error reading variable>)
    at ./include/rasterimage.inc:441
#7  0x0049ec8f in TBITMAP__LOADFROMSTREAM (ASTREAM=0x240aaa0, ASIZE=1822,
    this=<error reading variable>) at ./include/bitmap.inc:147
#8  0x0048ed83 in TRASTERIMAGE__LOADFROMSTREAM (ASTREAM=0x240aaa0,
    this=<error reading variable>) at ./include/rasterimage.inc:417
#9  0x0048d4dc in TPICTURE__LOADFROMSTREAMWITHCLASS (STREAM=0x240aaa0,
    ACLASS=<incomplete type>, this=<error reading variable>)
    at ./include/picture.inc:771
#10 0x0048d039 in TPICTURE__LOADFROMSTREAMWITHFILEEXT (STREAM=0x240aaa0,
    FILEEXT=0x2353ad8 'bmp', this=<error reading variable>)
    at ./include/picture.inc:652
#11 0x0048cf5a in TPICTURE__LOADFROMFILE (
    FILENAME=0x23ebcb8 '3¥ÅW6W''5Ä&'#23'''EÅ'#6#150'7GW&W5Ä3'#3'Bæ&×',
    this=<error reading variable>) at ./include/picture.inc:518
#12 0x00427fa7 in TMAINFORM__SHOWFILE (INDEX=0, this=<error reading variable>)
    at frmmain.pas:180
#13 0x00427e09 in TMAINFORM__ADDFILE (
    FILENAME=0x23ebc08 '3¥ÅW6W''5Ä&'#23'''EÅ'#6#150'7GW&W5Ä3'#3'Bæ&×',
    SHOWFILE=true, this=<error reading variable>) at frmmain.pas:159
#14 0x00427cd1 in TMAINFORM__AOPENEXECUTE (SENDER=0x23e24f8,
    this=<error reading variable>) at frmmain.pas:146
#15 0x004383e2 in CLASSES_TBASICACTION_$__EXECUTE$$BOOLEAN ()
#16 0x0052df49 in TCONTAINEDACTION__EXECUTE (this=<error reading variable>)
    at ./include/containedaction.inc:98
#17 0x0052f6de in TCUSTOMACTION__EXECUTE (this=<error reading variable>)
    at ./include/customaction.inc:246
#18 0x00438146 in CLASSES_TBASICACTIONLINK_$__EXECUTE$TCOMPONENT$$BOOLEAN ()
#19 0x00527eae in TMENUITEM__CLICK (this=<error reading variable>)
    at ./include/menuitem.inc:87
#20 0x00527b47 in HANDLEITEM (ITEM=0x2412c18, parentfp=0x219f8e0)
    at ./include/menu.inc:247
#21 0x00527ae5 in TMENU__ISSHORTCUT (MESSAGE=...,
    this=<error reading variable>) at ./include/menu.inc:266
#22 0x0041df73 in TCUSTOMFORM__ISSHORTCUT (MESSAGE=...,
    this=<error reading variable>) at ./include/customform.inc:2473
#23 0x00502259 in ISSHORTCUT (parentfp=0x219f940)
    at ./include/wincontrol.inc:5646
#24 0x005021b6 in TWINCONTROL__DOKEYDOWNBEFOREINTERFACE (MESSAGE=...,
    ISRECURSECALL=false, this=<error reading variable>)
    at ./include/wincontrol.inc:5709
#25 0x005045f9 in TWINCONTROL__CNKEYDOWN (MESSAGE=...,
    this=<error reading variable>) at ./include/wincontrol.inc:7007
#26 0x0040b0b6 in SYSTEM_TOBJECT_$__DISPATCH$formal ()
#27 0x005045e0 in RAISELOOP (parentfp=0x219fbf4)
    at ./include/wincontrol.inc:6917
#28 0x0050185e in TWINCONTROL__WNDPROC (MESSAGE=...,
    this=<error reading variable>) at ./include/wincontrol.inc:5327
#29 0x00550395 in DELIVERMESSAGE (TARGET=0x23826f8, AMESSAGE=void)
    at lclmessageglue.pas:112
#30 0x004d60b3 in WINDOWPROC (WINDOW=1311390, MSG=256, WPARAM=79,
    LPARAM=1572865) at ./win32/win32callback.inc:2497
#31 0x00548aa8 in LISTBOXWINDOWPROC (WINDOW=1311390, MSG=256, WPARAM=79,
    LPARAM=1572865) at ./win32/win32wsstdctrls.pp:598
#32 0x773462fa in USER32!OffsetRect () from C:\Windows\syswow64\user32.dll
#33 0x0014029e in ?? ()
#34 0x77346d3a in USER32!IsWindow () from C:\Windows\syswow64\user32.dll
#35 0x005489e0 in TWIN32WSCUSTOMGROUPBOX__SETBIDIMODE (AWINCONTROL=0x0,
    USERIGHTTOLEFTALIGN=true (145), USERIGHTTOLEFTREADING=true (224),
    USERIGHTTOLEFTSCROLLBAR=false, pvmt=0x773aa61e)
    at ./win32/win32wsstdctrls.pp:560
#36 0x773477c4 in USER32!AnyPopup () from C:\Windows\syswow64\user32.dll
#37 0x00000000 in ?? ()
(gdb)

Converted from Mantis. Note by Bart Broersma @flyingsheep

• Mantis submitter username: Bart @flyingsheep
• Mantis submitter real name: Bart Broersma

---

Reinier beat me to it (with different fpc...)

Converted from Mantis. Note by Bart Broersma @flyingsheep

• Mantis submitter username: Bart @flyingsheep
• Mantis submitter real name: Bart Broersma

---

The offending lines in intfgraphics.pas

          if NeedShift
          then begin
            TheStream.Read(LineBuf[idx+1], d[1]);
            while d[1] > 0 do
            begin
              LineBuf[idx] := (LineBuf[idx] and $F0) or (LineBuf[idx+1] shr 4);
              LineBuf[idx+1] := LineBuf[idx+1] shl 4;
              Inc(idx);
            end;
          end

The while loop seems to be an infinite loop, since the value of d[1] never gets altered?

Converted from Mantis. Note by Andre Scholberg

• Mantis submitter username: BugTrack
• Mantis submitter real name: Andre Scholberg

---

I have tried loading the playing cards after converting them from .bmp to .png.
the images do load correctly in imgview, which uses a TPicture.LoadFromFile call.

However, this does not solve the problem.

TPicture.LoadFromFile supports the .jpg format as well as .bmp and .png, and a similar problem occurs. For example, in the attached test_jpg.zip, welcome.jpg is loaded correctly, and andre.jpg crashes the app.

There may be .png files out there that create a similar problem, which must be deeper than a format issue.

HTH

Converted from Mantis. Note by Reinier Olislagers

• Mantis submitter username: BigChimp
• Mantis submitter real name: Reinier Olislagers

---

No, sorry, this doesn't help. We're talking about a bug with bmp handling, not other formats. Please post other discussion on the forum thread.

Please open a new bug report for the jpg issue, thanks - you cannot know if the cause is the same even if the symptoms are similar.
Edit: please check if the Lazarus jpg code supports the compression you use in that faulty jpg. There are multiple ways to encode jpgs and I strongly suspect not all of them are supported.

Converted from Mantis. Note by Reinier Olislagers

• Mantis submitter username: BigChimp
• Mantis submitter real name: Reinier Olislagers

---

Note: are you SURE you haven't just renamed a bmp to Andre.jpg? That file starts with BM, which is probably a marker for BMP, not with hex FF F8 which is the magic number for jpg...

Converted from Mantis. Note by Bart Broersma @flyingsheep

• Mantis submitter username: Bart @flyingsheep
• Mantis submitter real name: Bart Broersma

---

Updated summary.

Converted from Mantis. Note by Reinier Olislagers

• Mantis submitter username: BigChimp
• Mantis submitter real name: Reinier Olislagers

---

@(0071551): yes, perhaps throw in a 
            while d[1] > 0 do
            begin
              LineBuf[idx] := (LineBuf[idx] and $F0) or (LineBuf[idx+1] shr 4);
              LineBuf[idx+1] := LineBuf[idx+1] shl 4;
              Inc(idx);
              Dec(d[1]); //just added this after line 5240? without knowing what I'm doing... :(
Note that the bug happens in a different line for me with FPC trunk.

Leaving this for the experts to have a look at.

Converted from Mantis. Note by Bart Broersma @flyingsheep

• Mantis submitter username: Bart @flyingsheep
• Mantis submitter real name: Bart Broersma

---

Maybe Marc can comment on it (according to svn he did that part AFAICS)

@reinier: just decrementing d[1] upsets HeapTrc:
Marked memory at $0030BE80 invalid
Wrong signature $47B39235 instead of 7CAD2D36

Converted from Mantis. Note by Andre Scholberg

• Mantis submitter username: BugTrack
• Mantis submitter real name: Andre Scholberg

---

Quote: are you SURE you haven't just renamed a bmp to Andre.jpg?

I have converted all the playing cards from .bmp to .jpg.
Imgview does load all the jpg images correctly.

As regards Andre.jpg, yes, it is a bitmap.
You are right, I must have made an error when converting, or renamed bmp to jpg.

I apologize for the error and the inconvenience.

Converted from Mantis. Note by Reinier Olislagers

• Mantis submitter username: BigChimp
• Mantis submitter real name: Reinier Olislagers

---

Marc kindly fixed the issue in revision 43496. Snapshots that contain this revision or builds from SVN should now work.

Confirmed with Laz trunk r43496, fpc trunk, windows.

@andre Scholberg: please test and mark the issue as resolved if ok. Thanks.

@laz devs: seems like a good candidate for backporting to 1.2?

Converted from Mantis. Note by Marc Weustink @mweustink

• Mantis submitter username: Marc @mweustink
• Mantis submitter real name: Marc Weustink

---

It is actually fixed in r43497, there was still a possible overflow

closed

locked this issue

Attached files:

• test_jpg.zip (Size: 34864 bytes, user: BugTrack (Andre Scholberg), date: 2013-11-25)
• TestCards.zip (Size: 6407 bytes, user: BugTrack (Andre Scholberg), date: 2013-11-24)