Bug 600553 – [jpegdec] crashes on a fuzzed jpeg

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 600553 - [jpegdec] crashes on a fuzzed jpeg


Summary:	[jpegdec] crashes on a fuzzed jpeg


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-good
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	0.10.23
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2009-11-03 14:11 UTC by Stefan Sauer (gstreamer, gtkdoc dev)
Modified:	2010-04-30 15:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
fuzzed jpeg image (4.62 KB, image/jpeg) 2009-11-03 14:11 UTC, Stefan Sauer (gstreamer, gtkdoc dev)	Details

Description Stefan Sauer (gstreamer, gtkdoc dev) 2009-11-03 14:11:11 UTC

Created attachment 146838 [details]
fuzzed jpeg image

gstjpegdec.c:999:gst_jpeg_dec_chain:<jpegdec0> jpeg_color_space=3
gstjpegdec.c:1009:gst_jpeg_dec_chain:<jpegdec0> [0] h_samp_factor=2,
v_samp_factor=3, cid=1
gstjpegdec.c:1009:gst_jpeg_dec_chain:<jpegdec0> [1] h_samp_factor=1,
v_samp_factor=1, cid=2
gstjpegdec.c:1009:gst_jpeg_dec_chain:<jpegdec0> [2] h_samp_factor=1,
v_samp_factor=1, cid=3
gstjpegdec.c:1021:gst_jpeg_dec_chain:<jpegdec0> starting decompress
gstjpegdec.c:1063:gst_jpeg_dec_chain:<jpegdec0> setting caps video/x-raw-yuv,
format=(fourcc)I420, width=(int)300, height=(int)122, framerate=(fraction)0/1
gstjpegdec.c:1065:gst_jpeg_dec_chain:<jpegdec0> max_v_samp_factor=3
gstjpegdec.c:1067:gst_jpeg_dec_chain:<jpegdec0> max_h_samp_factor=2
gstjpegdec.c:1088:gst_jpeg_dec_chain:<jpegdec0> width 300, height 122, buffer
size 55144, required size 55144
gstjpegdec.c:1128:gst_jpeg_dec_chain:<jpegdec0> decompressing (reqired scanline
buffer height = 1)
gstjpegdec.c:701:gst_jpeg_dec_decode_indirect:<jpegdec0> unadvantageous width
or r_h, taking slow route involving memcpy

GST_DEBUG="jpeg*:5" gst-launch-0.10 filesrc location=00000290.jpeg ! jpegdec !
fakesink

Comment 1 Stefan Sauer (gstreamer, gtkdoc dev) 2010-02-23 22:06:47 UTC

+ Trace 220698

#0 jpeg_idct_ifast_sse2.column_end
from /usr/lib/libjpeg.so.62
#1 ??
#2 ??
#3 decompress_onepass
at ./jdcoefct.c line 240
#4 jpeg_read_raw_data
at ./jdapistd.c line 210
#5 gst_jpeg_dec_decode_indirect
at gstjpegdec.c line 740
#6 gst_jpeg_dec_chain
at gstjpegdec.c line 1177
#7 gst_pad_chain_data_unchecked
at gstpad.c line 4122
#8 gst_pad_push_data
at gstpad.c line 4351
#9 gst_base_src_loop
at gstbasesrc.c line 2444
#10 gst_task_func
at gsttask.c line 238
#11 default_func
at gsttaskpool.c line 70
#12 ??
from /usr/lib/libglib-2.0.so.0
#13 ??
from /usr/lib/libglib-2.0.so.0
#14 start_thread
at pthread_create.c line 297
#15 ??
at pthread_create.c line 216

Comment 2 Bastien Nocera 2010-03-15 16:24:53 UTC

Dupe of bug 604106?

Comment 3 Tim-Philipp Müller 2010-04-25 14:10:30 UTC

> Dupe of bug 604106?

No, different issue.

Comment 4 Mark Nauwelaerts 2010-04-30 15:51:58 UTC

This particular fuzzed image has some unusual v_samp_factor, which jpegdec is not really set to handle, so add some checks to stay within (implicit) expectations:

commit cec48383b16f25e2959e38843b89919a6c7e8c14
Author: Mark Nauwelaerts <mark.nauwelaerts@collabora.co.uk>
Date:   Fri Apr 30 12:42:42 2010 +0200

    jpegdec: more sanity checks on input

    Specifically, verify input components / colour space is as code
    subsequently expects, thereby avoiding crashes or otherwise bogus output.
    Presently, that means 3 components YCbCr colour space, and somewhat
    limited sampling factors.

    Fixes #600553.