-
-
Notifications
You must be signed in to change notification settings - Fork 992
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Power of two length on broken file leads to infinite loop #130
Comments
Is this reproducible with only libjpeg-turbo? I cannot personally reproduce it with djpeg, and thus I have no way of knowing whether this is our bug or a bug in the Perl code. |
The C code used by the Perl library appears simple, but perhaps they have misused the library. I cannot comment on whether that's the case, it's a short file available here: https://st.aticpan.org/source/JHUDGE/Image-TestJPG-1.0/TestJPG.xs The most minimal Perl code I could use to test the issue is:
You would need to My apologies for making it slightly less easy to duplicate than you might hope. We process millions of files and this is the first we've had this issue with. I don't have sufficient experience with C myself to get a simple test together in a short time period. If this is a problem with the Perl module then you have my apologies, it did however seem to be circling around within libjpeg-turbo though and not the Perl module (the stack frame for the call into libjpeg was the same each time I interrupted it). |
The libjpeg-turbo decompressor receives a great deal of scrutiny, particularly from browser developers like Mozilla and Google. If this was truly an issue with the library, then I find it very hard to believe that it would have gone unnoticed. I strongly suspect that this is a bug in the custom source manager their code is using (https://st.aticpan.org/source/JHUDGE/Image-TestJPG-1.0/mydatasrc/mydatasrc.c). They seem to have hacked up the old stdio source manager from libjpeg v6b so that it does in-memory decompression. I don't have time to debug other people's code, but I would suggest that the first course of action should be to replace their custom source manager with the built-in memory source manager available in libjpeg-turbo (this may be as simple as replacing the call to |
I was using Perl's Image::TestJPG::testJPG (using libjpeg-turbo) and tested a file (attached) which caused the process to hang.
Stepping through the Perl process using gdb shows the issue to occur in the consume_markers function with the given file.
Repeating c (continue), ctrl-c, bt (backtrace) brings up the same kind of result each time. As the Image::TestJPG XS only calls jpeg_read_header once, and not in a loop, and jpeg_read_header contains no loops itself, we eventually find consume_markers as a possible culprit.
Trimming the file from 65536 bytes to 65535, or adding a NUL to bump the file-size to 65537 bytes causes the process to complete, rather than hang. I have repeated the experiment on 32k, 16k files, etc. It doesn't appear to be a multiple-of-8kB or anything like that, just pure powers of two (also tested on 49152 bytes for example which didn't cause the issue).
I only had up to 1.4.2 to test against, so apologies if this has been fixed since, but I didn't see anything in the commit-log when I looked.
The text was updated successfully, but these errors were encountered: