Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGFPE has been triggered when process malformed JPG file #86

Closed
chunibalon opened this issue Mar 31, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@chunibalon
Copy link

commented Mar 31, 2017

Hello, the attachments are some samples that can cause SIGFPE that caused by devided-by-zero at src/lepton/uncompressed_components.hh:122. This exception can cause Denial-of-Service of lepton.
sample.zip

You can reproduce it with: ./lepton ID.jpg

Here are the debugging info with gdb:

[CODE────────────────────────────────────────────────]
117 for (int cmp = 0; cmp < (int)header_.size() && cmp < cmpc_; cmp++) {
118 int bc_allocated = header_[cmp].info_.bc;
119 int64_t max_cmp_bc = max_number_of_blocks;
120 max_cmp_bc = header_[cmp].info_.bcv;
121 max_cmp_bc = header_[cmp].info_.bch;
122 max_cmp_bc /= total_req_blocks;
123 if (bc_allocated > max_cmp_bc) {
124 bc_allocated = max_cmp_bc - (max_cmp_bc % header_[cmp].info_.bch);
125 }
126 if (cmp == desired_cmp) {
[STACK───────────────────────────────────────────────]
00:0000│ 0x7fffdf7fde80 ◂— 0x0
01:0008│ 0x7fffdf7fde88 —▸ 0x4323ad ◂— test rax, rax
02:0010│ 0x7fffdf7fde90 ◂— 0x101000015
03:0018│ 0x7fffdf7fde98 ◂— 0x7fff000000000006
04:0020│ 0x7fffdf7fdea0 ◂— 0x6
05:0028│ 0x7fffdf7fdea8 —▸ 0x6a5188 ◂— 0x1
06:0030│ 0x7fffdf7fdeb0 ◂— 0x0
07:0038│ 0x7fffdf7fdeb8 —▸ 0x432424 (GenericWorker::wait_for_work()+52) ◂— mov byte ptr [rsp + 7], 0
[BACKTRACE─────────────────────────────────────────────]
► f 0 41b97a
f 1 41b97a
f 2 413efb setup_imginfo_jpg(bool)+1163
f 3 41cc2b
f 4 40dd03
f 5 40dd03
f 6 4162ae
f 7 416aa7
f 8 7ffff7186830 __libc_start_main+240
Program received signal SIGFPE
pwndbg> p total_req_blocks
$1 = 0
pwndbg> bt
#0 0x000000000041b97a in UncompressedComponents::allocate_channel_framebuffer (memory_optimized=false, framebuffer=0x68c650 <colldata+16>, desired_cmp=0, this=0x68c640 ) at src/lepton/uncompressed_components.hh:122
#1 UncompressedComponents::init (this=0x68c640 , cmpinfo=..., cmpc=3, mcuh=, mcuv=, memory_optimized_image=) at src/lepton/uncompressed_components.hh:158
#2 0x0000000000413efb in setup_imginfo_jpg (only_allocate_two_image_rows=only_allocate_two_image_rows@entry=false) at src/lepton/jpgcoder.cc:4250
#3 0x000000000041cc2b in read_jpeg (huff_input_offsets=, jpg_in=0x7fffffffd980) at src/lepton/jpgcoder.cc:2250
#4 0x000000000040dd03 in std::function<bool ()>::operator()() const (this=0x7fffffffd9a0) at /usr/include/c++/5/functional:2267
#5 execute(std::function<bool ()> const&) (function=...) at src/lepton/jpgcoder.cc:1863
#6 0x00000000004162ae in process_file (reader=reader@entry=0x0, writer=writer@entry=0x0, max_file_size=max_file_size@entry=0, force_zlib0=) at src/lepton/jpgcoder.cc:1646
#7 0x0000000000416aa7 in app_main (argc=2, argv=) at src/lepton/jpgcoder.cc:922
#8 0x00007ffff7186830 in __libc_start_main (main=0x403040 <main(int, char
)>, argc=2, argv=0x7fffffffdc38, init=, fini=, rtld_fini=, stack_end=0x7fffffffdc28) at ../csu/libc-start.c:291
#9 0x0000000000403599 in _start ()

danielrh added a commit that referenced this issue Apr 5, 2017

@danielrh danielrh closed this Apr 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.