Menu

#88 Out of memory crash with optipng-0.7.8?

v1.0 (example)
closed-invalid
Cosmin Truta
None
5
2023-12-02
2023-11-29
schsiung
No

there will be out of memory crash with the poc provided, could you have a look?
obj/bin/optipng -zm 3 -zc 1 -zw 256 -snip -out 2.png out/default/crashes/id:000002,sig:06,src:000177,time:1843356,execs:418135,op:havoc,rep:4

[AFL++ 0cc14d0bc3c5] /data/openeuler/optipng-0.7.8 # obj/bin/optipng -zm 3 -zc 1 -zw 256 -snip -out 2.png out/default/crashes/id:000002,sig:06,src:000177,time:1843356,execs:418135,op:havoc,rep:4
** Processing: out/default/crashes/id:000002,sig:06,src:000177,time:1843356,execs:418135,op:havoc,rep:4
AddressSanitizer: CHECK failed: sanitizer_allocator_secondary.h:42 "((n)) < ((kMaxNumChunks))" (0x100000, 0x100000) (tid=3679245)
#0 0x55c1bc491466 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x12e466)
#1 0x55c1bc4af759 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x14c759)
#2 0x55c1bc3a2d3d (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x3fd3d)
#3 0x55c1bc3a2f50 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x3ff50)
#4 0x55c1bc3a3756 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x40756)
#5 0x55c1bc4879cc (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x1249cc)
#6 0x55c1bc4f9086 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x196086)
#7 0x55c1bc4ef9ca (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x18c9ca)
#8 0x55c1bc4e9447 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x186447)
#9 0x55c1bc4e7881 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x184881)
#10 0x55c1bc4d55ea (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x1725ea)
#11 0x55c1bc4d2823 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x16f823)
#12 0x55c1bc4d2109 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x16f109)
#13 0x55c1bc4cfca3 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x16cca3)
#14 0x7f68ecac9d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#15 0x7f68ecac9e3f (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#16 0x55c1bc39c4b0 (/data/openeuler/optipng-0.7.8/obj/bin/optipng+0x394b0)

[1813766.679751] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=user.slice,mems_allowed=0,global_oom,task_memcg=/user.slice/user-1000.slice/session-5.scope,task=optipng,pid=3332464,uid=1000
[1813766.679763] Out of memory: Killed process 3332464 (optipng) total-vm:24368747168kB, anon-rss:6044248kB, file-rss:1920kB, shmem-rss:0kB, UID:1000 pgtables:3949852kB oom_score_adj:0
[1813769.454052] oom_reaper: reaped process 3332464 (optipng), now anon-rss:164kB, file-rss:0kB, shmem-rss:0kB

1 Attachments
optipng-0.7.8-oom.zip

Discussion

  • Cosmin Truta

    Cosmin Truta - 2023-12-02

    Thank you for your report. This is a legitimate out-of-memory error, because the input images "lie" about being huge, but aren't. (Admittedly, the program could be and maybe should be "smarter" and catch this form of "deceit", but that should be a special feature, not a bugfix.)

    In my own internal tracing, I can see the following:

    ** Processing: id_000000.bmp
in pngx_read_bmp: width = 2031690, height = 1107296257, depth=16
in pngx_read_bmp: row size = 4063380
Error: Out of memory

** Processing: id_000001.bmp
in pngx_read_bmp: width = 117506047, height = 15597568, depth=1
in pngx_read_bmp: row size = 14688256
Error: Out of memory

** Processing: id_000002.bmp
in pngx_read_bmp: width = 917506, height = 100728831, depth=32
in pngx_read_bmp: row size = 3670024
Error: Out of memory
     

  • Cosmin Truta

    Cosmin Truta - 2023-12-02
    • status: open --> closed-invalid
    • assigned_to: Cosmin Truta
     

  • Cosmin Truta

    Cosmin Truta - 2023-12-02

    I'm closing this report as "invalid", because it's not really a bug. However, I will take this as a suggestion to make the error cause more obvious, when such out-of-memory errors occur.

     

Log in to post a comment.