Created attachment 383748 [details, diff] prevent crash by using strncat instead of strcat There is a heap based buffer overflow in media-gfx/xv. caused by the patch http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/media-gfx/xv/files/xv-3.10a-libpng15.patch this patch introduces a call to png_get_text(); which it then uses to calculate the size of memory to allocate: commentsize += strlen(_text[i].key) + 1 + _text[i].text_length + 2; later _text[i].key and _text[i].text are copied into this memory. this is broken for the iTXt png chunk. from the png_get_text() man page: "text_ptr[i].text_length: length of text string after decompression. 0 for iTXt." Many valid PNG files will segfault xv by virtue of having a large iTXt chunk. Causing the image to not be displayed. You control allocation size and data so there are security implications as well. But opening untrusted files with xv is probably not something we want/can support. I have attached a minimal patch. changing the strcat to strncat. in case of an iTXt chunk the actual data will just be ignored.
Presumably nobody cares about the media-gfx/xv package anymore. But since this bug keeps the status "unconfirmed" rather than "wontfix". i'll include a poc to make it easier to verify perl -e 'print "\x89PNG\r\n\x1a\n","\0\0\0\x0dIHDR\0\0\0\x01\0\0\0\x01\x01\0\0\0\0\x37\x6e\xf9\x24","\0\0\0\x10IDAT\x78\x9c\x62\x60\x01\0\0\0\xff\xff\x03\0\0\x06\0\x05\x57\xbf\xab\xd4","\x00\x10\x00\x06iTXtX\0\0\0\0\0","A"x0x100000,"\x72\x88\xfe\x77","\0\0\0\0IEND\xae\x42\x60\x82"' > poc.png The PNG useflag has to be enabled for the xv package. The POC is based on Gareth Rees' smallest png. with an added iTXt chunk, which has 1mb of A's. It'll start crashing a lot sooner than that.
[master 7e8f9ee] media-gfx/xv: Fix png crashes (#521142 by Ian Schram)