Bug: XnView parse PCT file out-of-bounds read

Bugs found in XnView Classic. Please report only one bug per topic!

Moderators: XnTriq, helmut, xnview

jackwood
Posts: 2
Joined: Thu Apr 14, 2016 3:19 am

Bug: XnView parse PCT file out-of-bounds read

Post by jackwood »

Sample: see attachment

XnView 2.35:

Code: Select all

0:009:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

GetPageUrlData failed, server returned HTTP status 403
URL requested: http://watson.microsoft.com/StageOne/xnview_exe/2_35_0_0/568ad748/xnview_exe/2_35_0_0/568ad748/c0000005/001ba6c8.htm?Retriage=1

FAULTING_IP: 
xnview+1ba6c8
005ba6c8 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000005ba6c8 (xnview+0x00000000001ba6c8)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000002b4e000
Attempt to read from address 0000000002b4e000

FAULTING_THREAD:  0000000000001c20

PROCESS_NAME:  xnview.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000002b4e000

READ_ADDRESS:  0000000002b4e000 

FOLLOWUP_IP: 
xnview+1ba6c8
005ba6c8 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_DOESNOT_MATCH_CODE:  This indicates a hardware error.
Instruction at 00000000005ba6c8 does not read/write to 0000000002b4e000

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

BUGCHECK_STR:  APPLICATION_FAULT_CODE_ADDRESS_MISMATCH_INVALID_POINTER_READ_ZEROED_STACK

PRIMARY_PROBLEM_CLASS:  CODE_ADDRESS_MISMATCH

DEFAULT_BUCKET_ID:  CODE_ADDRESS_MISMATCH

LAST_CONTROL_TRANSFER:  from 00000000006a1db2 to 00000000005ba6c8

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
064cefec 006a1db2 02b3bb4d 02b4bc29 fffffff4 xnview+0x1ba6c8
064cf028 006a260b 02b40f20 064cf090 00030018 xnview+0x2a1db2
064cf070 75b9ddb4 012c0000 0018f124 00000003 xnview+0x2a260b
064cf0a8 00000000 0000058b 0000012c 0000012c KERNELBASE!ReadFile+0x16a


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  xnview+1ba6c8

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: xnview

DEBUG_FLR_IMAGE_TIMESTAMP:  568ad748

STACK_COMMAND:  ~9s ; kb

FAILURE_BUCKET_ID:  CODE_ADDRESS_MISMATCH_c0000005_C:_Program_Files_(x86)_XnView_xnview.exe!Unknown

BUCKET_ID:  X64_APPLICATION_FAULT_CODE_ADDRESS_MISMATCH_INVALID_POINTER_READ_ZEROED_STACK_xnview+1ba6c8

IMAGE_NAME:  C:\Program Files (x86)\XnView\xnview.exe

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/xnview_exe/2_35_0_0/568ad748/xnview_exe/2_35_0_0/568ad748/c0000005/001ba6c8.htm?Retriage=1

Followup: MachineOwner
---------
You do not have the required permissions to view the files attached to this post.
jackwood
Posts: 2
Joined: Thu Apr 14, 2016 3:19 am

Re: Bug: XnView parse PCT file out-of-bounds read

Post by jackwood »

There exist a out of bound read in xnview2.35 when you open the poc.pct file.
User avatar
xnview
Author of XnView
Posts: 44883
Joined: Mon Oct 13, 2003 7:31 am
Location: France

Re: Bug: XnView parse PCT file out-of-bounds read

Post by xnview »

ok thanks
Pierre.