After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 775697 - buffer overread in jpeg loader
buffer overread in jpeg loader
Status: RESOLVED OBSOLETE
Product: gdk-pixbuf
Classification: Platform
Component: loaders
git master
Other Linux
: Normal normal
: ---
Assigned To: gdk-pixbuf-maint
gdk-pixbuf-maint
Depends on:
Blocks:
 
 
Reported: 2016-12-06 11:02 UTC by Tobias Mueller
Modified: 2018-05-22 13:20 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
crashing file, password "crash", found by afl (832 bytes, application/pgp-encrypted)
2016-12-06 11:02 UTC, Tobias Mueller
  Details
potential patch (1.55 KB, patch)
2016-12-06 11:04 UTC, Tobias Mueller
none Details | Review
tests: Add test for bug 775697 (1.88 KB, patch)
2016-12-14 11:22 UTC, Bastien Nocera
none Details | Review

Description Tobias Mueller 2016-12-06 11:02:40 UTC
Created attachment 341458 [details]
crashing file, password "crash", found by afl

Program received signal SIGSEGV, Segmentation fault.
0x00007fffefa65263 in de_get16 (ptr=0x60e10000d51f, endian=1234) at io-jpeg.c:294
294	       memcpy(&val, ptr, sizeof(val));
(gdb) t a a bt full

Thread 1 (Thread 0x7ffff7fc3880 (LWP 6023))

  • #0 de_get16
    at io-jpeg.c line 294
  • #1 jpeg_parse_exif_app1
    at io-jpeg.c line 465
  • #2 jpeg_parse_exif
    at io-jpeg.c line 516
  • #3 gdk_pixbuf__jpeg_image_load_increment
    at io-jpeg.c line 1037
  • #4 gdk_pixbuf_loader_write
    at gdk-pixbuf-loader.c line 521
  • #5 test_loader
    at pixbuf-read.c line 31
  • #6 main
    at pixbuf-read.c line 75
  • #1 jpeg_parse_exif_app1
    at io-jpeg.c line 465
  • #2 jpeg_parse_exif
    at io-jpeg.c line 516
  • #1 jpeg_parse_exif_app1
    at io-jpeg.c line 465
$7 = (jpeg_saved_marker_ptr) 0x60e00000d500
(gdb) p *marker
$8 = {next = 0x60e00000d420, marker = 225 '\341', original_length = 69, data_length = 69, data = 0x60e00000d520 "Exif66P"}
(gdb) p i
$9 = 4294967295
(gdb) p i+2
$10 = 1
(gdb) r
Comment 1 Tobias Mueller 2016-12-06 11:04:55 UTC
Created attachment 341459 [details] [review]
potential patch

the overread is caused by integer overflows.

The attached patch makes it not crash. It's probably not the most beautiful way to do it, though.
Comment 2 Bastien Nocera 2016-12-14 11:22:07 UTC
Can't reproduce the crasher here, it throws:
"Error interpreting JPEG image file (Quantization table 0x00 was not defined)"
Comment 3 Bastien Nocera 2016-12-14 11:22:28 UTC
Created attachment 341949 [details] [review]
tests: Add test for bug 775697
Comment 4 GNOME Infrastructure Team 2018-05-22 13:20:55 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gdk-pixbuf/issues/58.