Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infinite loop in get_raw_sample_int #34

Closed
xcainiao opened this issue Jan 4, 2018 · 2 comments
Closed

infinite loop in get_raw_sample_int #34

xcainiao opened this issue Jan 4, 2018 · 2 comments

Comments

@xcainiao
Copy link

xcainiao commented Jan 4, 2018

ImageWorsener version 1.3.2
Copyright © 2011–2017 Jason Summers
Features: 64-bit
Uses libjpeg version 8d
Uses libpng version 1.2.54
Uses zlib version 1.2.8

./imagew @@file /tmp/out -outfmt bmp

Program received signal SIGINT, Interrupt.
get_raw_sample_int (ctx=ctx@entry=0x6baf30, x=x@entry=553, y=y@entry=13475, channel=channel@entry=0) at ../src/imagew-main.c:253
253	}
(gdb) bt
#0  get_raw_sample_int (ctx=ctx@entry=0x6baf30, x=x@entry=553, y=y@entry=13475, channel=channel@entry=0) at ../src/imagew-main.c:253
#1  0x000000000041d275 in get_sample_cvt_to_linear (csdescr=0x6bb068, channel=0, y=13475, x=<optimized out>, ctx=0x6baf30) at ../src/imagew-main.c:381
#2  iw_process_cols_to_intermediate (in_csdescr=0x6bb068, channel=0, ctx=0x6baf30) at ../src/imagew-main.c:874
#3  iw_process_one_channel (ctx=0x6baf30, intermed_channel=0, in_csdescr=0x6bb068, out_csdescr=0x6bb208) at ../src/imagew-main.c:1156
#4  0x0000000000433d2d in iw_process_internal (ctx=0x6baf30) at ../src/imagew-main.c:1427
#5  iw_process_image (ctx=ctx@entry=0x6baf30) at ../src/imagew-main.c:2260
#6  0x000000000040c0b0 in iwcmd_run (p=p@entry=0x7fffffffd6e0) at ../src/imagew-cmd.c:1400
#7  0x000000000041acea in iwcmd_main (argc=<optimized out>, argv=<optimized out>) at ../src/imagew-cmd.c:3018
#8  0x00007ffff708c830 in __libc_start_main (main=0x402d30 <main>, argc=5, argv=0x7fffffffde18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde08)
    at ../csu/libc-start.c:291
#9  0x0000000000402da9 in _start ()

testcase:https://github.com/xcainiao/poc/blob/master/imageworsener_get_raw_sample_int_infinite_loop
@jsummers
Copy link
Owner

jsummers commented Jan 5, 2018

I can't reproduce an infinite loop, but it took over 4 minutes to complete. That does seem a little unreasonable to me, but I'm not sure what to do about it, if anything.

Your test case does not work with newer versions of libjpeg (e.g. 9b). Instead, it fails quickly with "imagew error: libjpeg reports read error: Huffman table 0x00 was not defined". The issue still exists, but a less-broken test case is needed to exhibit it.

@xcainiao xcainiao closed this as completed Jan 7, 2018
@hartwork
Copy link
Contributor

hartwork commented Dec 7, 2020

I don't see CVE-2018-5252 mentioned here yet so let me add it. 4 minutes runtime sounds like a denial-of-service vector to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsummers @hartwork @xcainiao