GNOME Bugzilla – Bug 775697
buffer overread in jpeg loader
Last modified: 2018-05-22 13:20:55 UTC
Created attachment 341458 [details] crashing file, password "crash", found by afl Program received signal SIGSEGV, Segmentation fault. 0x00007fffefa65263 in de_get16 (ptr=0x60e10000d51f, endian=1234) at io-jpeg.c:294 294 memcpy(&val, ptr, sizeof(val)); (gdb) t a a bt full
+ Trace 236931
Thread 1 (Thread 0x7ffff7fc3880 (LWP 6023))
$7 = (jpeg_saved_marker_ptr) 0x60e00000d500 (gdb) p *marker $8 = {next = 0x60e00000d420, marker = 225 '\341', original_length = 69, data_length = 69, data = 0x60e00000d520 "Exif66P"} (gdb) p i $9 = 4294967295 (gdb) p i+2 $10 = 1 (gdb) r
Created attachment 341459 [details] [review] potential patch the overread is caused by integer overflows. The attached patch makes it not crash. It's probably not the most beautiful way to do it, though.
Can't reproduce the crasher here, it throws: "Error interpreting JPEG image file (Quantization table 0x00 was not defined)"
Created attachment 341949 [details] [review] tests: Add test for bug 775697
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gdk-pixbuf/issues/58.