oss-fuzz reports production of uninitialized bytes in jpeg_read_scanlines() output

[bobfriesenhahn]

GraphicsMagick testing under Google's oss-fuzz is using the latest Git version for testing. For my own testing I am using libjpeg-turbo-1.5.3. Oss-fuzz is reporting use of uninitialized data in jpeg_read_scanlines() output although I am not able to reproduce this (testing using valgrind rather than ASAN

) with 1.5.3. Perhaps the Git version is a bit different or the Clang compilation options used for oss-fuzz produce somewhat different code. I am providing the test case in the hope that the problem can be identified and fixed in the Git version.

These are the details that the oss-fuzz report provides for how the uninitialized value was produced:

    ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xc969dd in ReadJPEGImage graphicsmagick/coders/jpeg.c:1445:15
    #1 0x69e2be in ReadImage graphicsmagick/magick/constitute.c:1607:13
    #2 0x626ac7 in BlobToImage graphicsmagick/magick/blob.c:764:13
    #3 0x58e262 in Magick::Image::read(Magick::Blob const&) graphicsmagick/Magick++/lib/Image.cpp:1591:5
    #4 0x4a2dbc in LLVMFuzzerTestOneInput graphicsmagick/fuzzing/coder_fuzzer.cc:20:15
    #5 0x4e9dac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:526:13
    #6 0x4a45e6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
    #7 0x4b4a6b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:707:9
    #8 0x4a3711 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #9 0x7f4ac456f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
    #10 0x41ff78 in _start
    Uninitialized value was stored to memory at
    #0 0x45fbcd in __msan_memcpy.part.51 /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1485
    #1 0x138555b in jcopy_sample_rows libjpeg-turbo/jutils.c:113:5
    #2 0x13661f5 in sep_upsample libjpeg-turbo/jdsample.c:97:3
    #3 0x1480548 in process_data_simple_main libjpeg-turbo/jdmainct.c:313:3
    #4 0x1315043 in jpeg_read_scanlines libjpeg-turbo/jdapistd.c:285:3
    #5 0xc947f7 in ReadJPEGImage graphicsmagick/coders/jpeg.c:1423:12
    #6 0x69e2be in ReadImage graphicsmagick/magick/constitute.c:1607:13
    #7 0x626ac7 in BlobToImage graphicsmagick/magick/blob.c:764:13
    #8 0x58e262 in Magick::Image::read(Magick::Blob const&) graphicsmagick/Magick++/lib/Image.cpp:1591:5
    #9 0x4a2dbc in LLVMFuzzerTestOneInput graphicsmagick/fuzzing/coder_fuzzer.cc:20:15
    #10 0x4e9dac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:526:13
    #11 0x4a45e6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
    #12 0x4b4a6b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:707:9
    #13 0x4a3711 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #14 0x7f4ac456f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
    Uninitialized value was created by a heap allocation
    #0 0x45fea0 in malloc /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:907
    #1 0x13870fc in alloc_large libjpeg-turbo/jmemmgr.c:391:29
    #2 0x1387b19 in alloc_sarray libjpeg-turbo/jmemmgr.c:475:27
    #3 0x147af35 in jinit_d_main_controller libjpeg-turbo/jdmainct.c:455:28
    #4 0x133ea15 in master_selection libjpeg-turbo/jdmaster.c:570:5
    #5 0x133ea15 in jinit_master_decompress libjpeg-turbo/jdmaster.c:736
    #6 0x1312531 in jpeg_start_decompress libjpeg-turbo/jdapistd.c:47:5
    #7 0xc92caa in ReadJPEGImage graphicsmagick/coders/jpeg.c:1270:10
    #8 0x69e2be in ReadImage graphicsmagick/magick/constitute.c:1607:13
    #9 0x626ac7 in BlobToImage graphicsmagick/magick/blob.c:764:13
    #10 0x58e262 in Magick::Image::read(Magick::Blob const&) graphicsmagick/Magick++/lib/Image.cpp:1591:5
    #11 0x4a2dbc in LLVMFuzzerTestOneInput graphicsmagick/fuzzing/coder_fuzzer.cc:20:15
    #12 0x4e9dac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:526:13
    #13 0x4a45e6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
    #14 0x4b4a6b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:707:9
    #15 0x4a3711 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #16 0x7f4ac456f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
    SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_graphicsmagick_82a1c4b13860dcfd1688513621b8894ad0e8

[dcommander]

Likely a duplicate of #238, although the symptoms are a bit different. I wasn't able to reproduce #238. If the issue goes away by setting JSIMD_NONE=1 in the environment, then this is a known issue relating to the inability of some memory checkers to detect that our SIMD extensions have initialized a particular memory location. valgrind used to generate similar false positives "back in the day", but apparently it was fixed at some point. Another explanation could be that the issue is in a particular SIMD implementation (AVX2 would be a likely suspect, since it's brand new) that is being activated on one test machine but not another. Leaving the issue open pending further information.

[dcommander]

Sorry, that should be JSIMD_FORCENONE=1.

[bobfriesenhahn]

I added -DWITH_SIMD=0 to the cmake build options for the oss-fuzz build and the problem was "cured". ASAN is primarily based on instrumented compiler output and so it makes sense that it would be weak for testing the behavior of arbitrary assembly code.

[dcommander]

Excellent. Thanks for testing.