Since discovering a few crashes in browsers that don’t handle badly formed HTML input I’ve been taking a little bit of a break.
Being in a sadistic mood though, I thought I’d see what other kinds of bad input I could generate to test programs with, with a focus on making simple changes that would be easy to duplicate and test automatically.
In the recent past there have been a lot of integer overflow type bugs found in various graphics libraries. (Imlib, libpng, etc).
So I thought I’d play around in that area.
What are we looking for?
We’re looking to craft an image such that viewing it in either a standalone graphics package, or a web browser will cause a crash.
Well the very idea is that we’ll create “malformed” images deliberately designed to trigger badness tm.
But what kind of image manipulation can we carry out?
Well lets assume we take one known-good (and pretty) picture.
- Copy it 3xN times (N_0.ext, N_1.ext, N_2.ext).
- (Where N is the length of the file in bytes.)
- Foreach copy of the image (N.ext) set byte[N] to be :
This gives us 3xN images. Each of which has one byte which has been altered – from first to last.
These we can lead in sequence, automatically via a simple CGI-script which will META-REFRESH onto the next one.
With this script we can simply kick off the loading of the first image, then wait for it to load all in turn – or crash.
If it crashes we can look at the server logs to see which image it loaded last.
What did we get?
- Two scripts:
What else did we get?
Well I started my test using a 20K animated gif image. This lead to 60k images and a new appreciation for handling directories with lots of files in them … :S
Running the test took a good long time, showing three images a second. But my desktop was very responsive.
No crashes though :(
A waste of time? Well maybe, but it was fun experiment, and it could easily be duplicated or extended by anybody with the inclination.
If it’s useful I’ll share my scripts – they’re nothing special though.
Realising that most images will use either 16 or 32 bit indexes we should repeat the test except:
- Instead of tweaking each individual byte in turn, do it for each pair of adjacent bytes.
- Instead of tweaking each pair of individual bytes in turn, do it for each double pair of adjacent bytes.
This is left as an excercise to the reader….