Integer overflow in tjbench.c

[hannob]

I was looking at #361 and I think the fix is incomplete (however only affecting tjbench, not the library itself).

If I take the reproducer from the opensuse bugreport (see https://bugzilla.suse.com/show_bug.cgi?id=1156402 ) which can be downloaded here:
https://bugzilla.suse.com/attachment.cgi?id=823816
I still get an integer overflow with ubsan.

I built libjpeg-turbo from the current git code with ubsan with a command line this:

CC=clang CXX=clang++ LD=clang CFLAGS="-fsanitize=undefined" LDFLAGS="-fsanitize=undefined" cmake -DENABLE_SHARED=OFF ..

Running tjbench on the file from above:

$ ./tjbench-static CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg

>>>>>  JPEG 4:2:0 --> BGR (Top-down)  <<<<<

Image size: 26755 x 26755
/tmp/libjpeg-turbo/tjbench.c:174:29: runtime error: signed integer overflow: 80265 * 26755 cannot be represented in type 'int'
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==5645==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7fe620a64000 (pc 0x7fe620bd185d bp 0x000000000002 sp 0x7fff4ba0baf8 T5645)
==5645==The signal is caused by a WRITE memory access.
UndefinedBehaviorSanitizer:DEADLYSIGNAL
UndefinedBehaviorSanitizer: nested bug in the same thread, aborting.

[pgajdos]

There is probably no need to use ubsan. It just segfaults (see comment 17 in that bug).

[pgajdos]

139		memset(dstbuf, 127, pitch*scaledh);
(gdb) p pitch*scaledh
$4 = -2147477221
(gdb)

[dcommander]

Fix pushed to master

[robertswiecki]

And possiblty one more (in decoding to yuv).

$ ./libjpeg-turbo.github/out/tjbench SIGABRT.PC.7ffff7c613eb.STACK.1a1099b595.CODE.-6.ADDR.\(nil\).INSTR.mov____0x108\(%rsp\)\,%rax.jpg -yuv

Testing YUV planar encoding/decoding

>>>>>  JPEG 4:4:4 --> BGR (Top-down)  <<<<<

Image size: 1002 x 891
=================================================================
==437402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006080 at pc 0x000000439687 bp 0x7fffd6341f50 sp 0x7fffd6341710
READ of size 1002 at 0x62b000006080 thread T0
    #0 0x439686 in memcpy (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x439686)
    #1 0x7fbe8f56139b in tjDecompressToYUVPlanes /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1724:11
    #2 0x7fbe8f5625c6 in tjDecompressToYUV2 /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1799:10
    #3 0x4d28f6 in decomp /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:205:15
    #4 0x4cf072 in decompTest /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:712:11
    #5 0x4cb6d0 in main /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:1003:5
    #6 0x7fbe8f08f1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #7 0x42270d in _start (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x42270d)

0x62b000006080 is located 0 bytes to the right of 24192-byte region [0x62b000000200,0x62b000006080)
allocated by thread T0 here:
    #0 0x49a60d in malloc (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x49a60d)
    #1 0x7fbe8f5605b6 in tjDecompressToYUVPlanes /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1665:31
    #2 0x7fbe8f5625c6 in tjDecompressToYUV2 /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1799:10
    #3 0x4d28f6 in decomp /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:205:15
    #4 0x4cf072 in decompTest /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:712:11
    #5 0x4cb6d0 in main /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:1003:5
    #6 0x7fbe8f08f1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x439686) in memcpy
Shadow bytes around the buggy address:
  0x0c567fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==437402==ABORTING

[pgajdos]

Please:

1. file a new issue
2. do not include plain POC (e. g. compress it)

[dcommander]

@robertswiecki I just checked in a YUV decoding fix, so try again against the latest code in Git master and file a new issue if the bug is still reproducible.

[dcommander]

@robertswiecki confirmed that the first image you posted (https://user-images.githubusercontent.com/12155236/68846842-f95e7180-06cd-11ea-9207-80b34a91f939.jpg) exhibits a duplicate of #387, which has already been fixed.

[robertswiecki]

Hi @dcommander , am I doing something wrong here? Btw, the double_free.jpg pic from #378 doesn't crash it. I'll file another bug, and you can close it quickly if I'm doing something incorrectly.

$ ( cd libjpeg-turbo/; git reflog )
bd20344 (grafted, HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/libjpeg-turbo/libjpeg-turbo.git

$ ( cd libjpeg-turbo/; git diff origin )

$ ./libjpeg-turbo/out/tjbench-static 68846842-f95e7180-06cd-11ea-9207-80b34a91f939.jpg -yuv

Testing YUV planar encoding/decoding

>>>>>  JPEG 4:4:4 --> BGR (Top-down)  <<<<<

Image size: 1002 x 891
=================================================================
==136873==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006080 at pc 0x0000004425fe bp 0x7ffd59651cb0 sp 0x7ffd59651460
READ of size 1002 at 0x62b000006080 thread T0
    #0 0x4425fd in __interceptor_memcpy.part.40 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4425fd)
    #1 0x535324 in tjDecompressToYUVPlanes (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x535324)
    #2 0x536609 in tjDecompressToYUV2 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x536609)
    #3 0x51f9e3 in decomp (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51f9e3)
    #4 0x51be2a in decompTest (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51be2a)
    #5 0x518ad3 in main (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x518ad3)
    #6 0x7f04c5c6252a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
    #7 0x424689 in _start (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x424689)

0x62b000006080 is located 0 bytes to the right of 24192-byte region [0x62b000000200,0x62b000006080)
allocated by thread T0 here:
    #0 0x4e0bc0 in malloc (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4e0bc0)
    #1 0x5344d5 in tjDecompressToYUVPlanes (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x5344d5)
    #2 0x536609 in tjDecompressToYUV2 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x536609)
    #3 0x51f9e3 in decomp (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51f9e3)
    #4 0x51be2a in decompTest (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51be2a)
    #5 0x518ad3 in main (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x518ad3)
    #6 0x7f04c5c6252a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4425fd) in __interceptor_memcpy.part.40
Shadow bytes around the buggy address:
  0x0c567fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb