Wireshark-bugs: [Wireshark-bugs] [Bug 10223] New: gif dissector crashes after proto_tree_add_sub
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 24 Jun 2014 17:14:29 +0000
Bug ID 10223
Summary gif dissector crashes after proto_tree_add_subtree conversion
Classification Unclassified
Product Wireshark
Version Git
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Capture file support (libwiretap)
Assignee bugzilla-admin@wireshark.org
Reporter peter@lekensteyn.nl 

Created attachment 12848 [details]
gif capture that triggers a crash

Build Information:
TShark 1.99.0 (v1.99.0-rc1-579-ga3a61f2 from unknown)

Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.40.0, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, without SMI, without c-ares, without ADNS,
with Lua 5.2, with GnuTLS 3.3.4, with Gcrypt 1.6.1, without Kerberos, without
GeoIP.

Running on Linux 3.15.0-rc8-custom-00058-gd2cfd31, with locale en_US.UTF-8,
with
libpcap version 1.5.3, with libz 1.2.8, with GnuTLS 3.3.4, with Gcrypt 1.6.1.
Intel(R) Core(TM) i5 CPU       M 460  @ 2.53GHz (with SSE4.2)

Built using gcc 4.9.0 20140604 (prerelease).
--
Reverting f5e2b4293d420fe8438075ebc8db76ac5f8b9747 makes the capture work
again.

gdb backtrace below:

  6 0.000361000 18:35:05.466575000    127.0.0.1 45492 127.0.0.1    191 1 GET
/GifSample.gif HTTP/1.1 

Program received signal SIGSEGV, Segmentation fault.
0x00007fffee2d6ab0 in proto_item_append_text (pi=0x7ffff7ffad00,
format=0x7fffefeef180 " (%u bit%s per color) (%u bit%s per pixel)") at
epan/proto.c:4473
4473            if (!PROTO_ITEM_IS_HIDDEN(pi)) {
(gdb) p *pi
$1 = {first_child = 0x7ffff7ffe3e8, last_child = 0x0, next = 0x0, parent = 0x0,
finfo = 0x4, tree_data = 0x7ffff7ffad00}
(gdb) info locals
fi = 0x4
curlen = 140736962916176
ap = {{gp_offset = 3995857471, fp_offset = 32767, overflow_arg_area =
0x7fffffffad10, reg_save_area = 0x7fffffffacc0}}
(gdb) up
#1  0x00007fffee40a477 in dissect_gif (tvb=0x61d0000e5a80,
pinfo=0x6150000bb118, tree=0x619000108230, data="" at
epan/dissectors/file-gif.c:542
542                     proto_item_append_text(ti2,
(gdb) info locals
subtree2 = 0x7fffe0ae6f50
ti2 = 0x7ffff7ffad00
item_len = 11
ti = 0x7fffe0ae6f50
gif_tree = 0x7fffe0ae6f50
subtree = 0x7fffe0ae6f50
offset = 798
len = 0
peek = 0 '\000'
color_map_present = 0
color_resolution = 1 '\001'
image_bpp = 1 '\001'
tvb_len = 970
str = 0x7fffe08e4b20 "GIF89a"
version = 137 '\211'
(gdb) bt
#0  0x00007fffee2d6ab0 in proto_item_append_text (pi=0x7ffff7ffad00,
format=0x7fffefeef180 " (%u bit%s per color) (%u bit%s per pixel)") at
epan/proto.c:4473
#1  0x00007fffee40a477 in dissect_gif (tvb=0x61d0000e5a80,
pinfo=0x6150000bb118, tree=0x619000108230, data="" at
epan/dissectors/file-gif.c:542
#2  0x00007fffee29a10d in call_dissector_through_handle (handle=0x60300004f8d0,
tvb=0x61d0000e5a80, pinfo=0x6150000bb118, tree=0x619000108230, data="" at
epan/packet.c:622
#3  0x00007fffee29a512 in call_dissector_work (handle=0x60300004f8d0,
tvb=0x61d0000e5a80, pinfo_arg=0x6150000bb118, tree=0x619000108230,
add_proto_name=1, data="" at epan/packet.c:713
#4  0x00007fffee29f830 in call_dissector_only (handle=0x60300004f8d0,
tvb=0x61d0000e5a80, pinfo=0x6150000bb118, tree=0x619000108230, data="" at
epan/packet.c:2284
#5  0x00007fffee9c30a5 in dissect_http_message (tvb=0x61d0000e5b20, offset=185,
pinfo=0x6150000bb118, tree=0x619000108230, conv_data=0x7fffe00e3280) at
epan/dissectors/packet-http.c:1453
#6  0x00007fffee9c8790 in dissect_http (tvb=0x61d0000e5b20,
pinfo=0x6150000bb118, tree=0x619000108230, data="" at
epan/dissectors/packet-http.c:2780

You are receiving this mail because:
  • You are watching all bug changes.