jcopy_sample_rows() causes SIGSEGV #441
Comments
xNombre
added a commit
to xNombre/android_external_libjpeg-turbo
that referenced
this issue
Jul 6, 2020
…jpeg-turbo into 10.0" Newest libjpeg crashes apps on Android. Due to reported bug: libjpeg-turbo/libjpeg-turbo#441 Merge will be reapplies when libjper gets fixed. This reverts commit 6646983, reversing changes made to b99b057. Signed-off-by: xNombre <kartapolska@gmail.com>
xNombre
added a commit
to xNombre/android_external_libjpeg-turbo
that referenced
this issue
Jul 6, 2020
…jpeg-turbo into 10.0" Newest libjpeg crashes apps on Android. Due to reported bug: libjpeg-turbo/libjpeg-turbo#441 Merge will be reapplied when libjpeg gets fix for this. Signed-off-by: xNombre <kartapolska@gmail.com>
zodf0055980
changed the title
|
Should be fixed now. Please test. |
|
It's okay now, thanks! |
dcommander
added a commit
that referenced
this issue
Jul 28, 2020
- Introduce a partial image decompression regression test script that validates the correctness of jpeg_skip_scanlines() and jpeg_crop_scanlines() for a variety of cropping regions and libjpeg settings. This regression test catches the following issues: #182, fixed in 5bc43c7 #237, fixed in 6e95c08 #244, fixed in 398c1e9 #441, fully fixed in this commit It does not catch the following issues: #194, fixed in 773040f #244 (additional segfault), fixed in 9120a24 - Modify the libjpeg-turbo regression test suite (make test) so that it checks for the issue reported in #441 (segfault in jpeg_skip_scanlines() when used with 4:2:0 merged upsampling/color conversion.) - Fix issues in jpeg_skip_scanlines() that caused incorrect output with h2v2 (4:2:0) merged upsampling/color conversion. The previous commit fixed the segfault reported in #441, but that was a symptom of a larger problem. Because merged 4:2:0 upsampling uses a "spare row" buffer, it is necessary to allow the upsampler to run when skipping rows (fancy 4:2:0 upsampling, which uses context rows, also requires this.) Otherwise, if skipping starts at an odd-numbered row, the output image will be incorrect. - Throw an error if jpeg_skip_scanlines() is called with two-pass color quantization enabled. With two-pass color quantization, the first pass occurs within jpeg_start_decompress(), so subsequent calls to jpeg_skip_scanlines() interfere with the multipass state and prevent the second pass from occurring during subsequent calls to jpeg_read_scanlines().
dcommander
added a commit
that referenced
this issue
Jul 28, 2020
The additional segfault mentioned in #244 was due to the fact that the merged upsamplers use a different private structure than the non-merged upsamplers. jpeg_skip_scanlines() was assuming the latter, so when merged upsampling was enabled, jpeg_skip_scanlines() clobbered one of the IDCT method pointers in the merged upsampler's private structure. For reasons unknown, the test image in #441 did not encounter this segfault (too small?), but it encountered an issue similar to the one fixed in 5bc43c7, whereby it was necessary to set up a dummy postprocessing function in read_and_discard_scanlines() when merged upsampling was enabled. Failing to do so caused either a segfault in merged_2v_upsample() (due to a NULL pointer being passed to jcopy_sample_rows()) or an error ("Corrupt JPEG data: premature end of data segment"), depending on the number of scanlines skipped and whether the first scanline skipped was an odd- or even-numbered row. Fixes #441 Fixes #244 (for real this time)
dcommander
added a commit
that referenced
this issue
Jul 28, 2020
- Introduce a partial image decompression regression test script that validates the correctness of jpeg_skip_scanlines() and jpeg_crop_scanlines() for a variety of cropping regions and libjpeg settings. This regression test catches the following issues: #182, fixed in 5bc43c7 #237, fixed in 6e95c08 #244, fixed in 398c1e9 #441, fully fixed in this commit It does not catch the following issues: #194, fixed in 773040f #244 (additional segfault), fixed in 9120a24 - Modify the libjpeg-turbo regression test suite (make test) so that it checks for the issue reported in #441 (segfault in jpeg_skip_scanlines() when used with 4:2:0 merged upsampling/color conversion.) - Fix issues in jpeg_skip_scanlines() that caused incorrect output with h2v2 (4:2:0) merged upsampling/color conversion. The previous commit fixed the segfault reported in #441, but that was a symptom of a larger problem. Because merged 4:2:0 upsampling uses a "spare row" buffer, it is necessary to allow the upsampler to run when skipping rows (fancy 4:2:0 upsampling, which uses context rows, also requires this.) Otherwise, if skipping starts at an odd-numbered row, the output image will be incorrect. - Throw an error if jpeg_skip_scanlines() is called with two-pass color quantization enabled. With two-pass color quantization, the first pass occurs within jpeg_start_decompress(), so subsequent calls to jpeg_skip_scanlines() interfere with the multipass state and prevent the second pass from occurring during subsequent calls to jpeg_read_scanlines().
dcommander
added a commit
that referenced
this issue
Jul 28, 2020
(Oversight when cherry-picking ab835bc)
|
I have a similar issue using v2.1.2. Should I open a separate issue or reopen this one ? |
|
@mathias-clerc This issue was closed and fixed, so open a new issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Have you searched the existing issues (both open and closed) in the libjpeg-turbo issue tracker to ensure that this bug report is not a duplicate?
Yes
Does this bug report describe one of the two known and unsolvable issues with the JPEG format?
No
Clear and concise description of the bug:
jcopy_sample_rows try to read *0x8 causes SIGSEGV
0x00007ffff7b7d48a in jcopy_sample_rows (input_array=0x555555764728, source_row=0x0, output_array=0x8, dest_row=0x0, num_rows=0x1, num_cols=0x60) at /home/yuan/libjpeg-turbo/jutils.c:112
112 outptr = *output_array++;
Steps to reproduce the bug (using only libjpeg-turbo):
in read_and_discard_scanlines() , it calls jpeg_read_scanlines(cinfo, NULL, 1);
However NULL will be output array address in jcopy_sample_rows().
Image(s) needed in order to reproduce the bug (if applicable):
Expected behavior:
Observed behavior:
Platform(s) (compiler version, operating system version, CPU) on which the bug was observed:
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 , Linux version 5.3.0-61-generic
libjpeg-turbo release(s), commit(s), or branch(es) in which the bug was observed (always test the tip of the master branch or the latest stable pre-release to verify that the bug hasn't already been fixed):
commit ae87a95 in master
If the bug is a regression, the specific commit that introduced the regression (use
git bisectto determine this):Additional information:
The text was updated successfully, but these errors were encountered: