New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integer overflow in tjbench.c #388
Comments
There is probably no need to use ubsan. It just segfaults (see comment 17 in that bug). |
|
Fix pushed to master |
libjpeg-turbo/libjpeg-turbo#388 Minor backport of: libjpeg-turbo/libjpeg-turbo@c30b1e7 "64-bit tjbench: Fix signed int overflow/segfault that occurred when attempting to decompress images with more than 715827882 (2048*1024*1024 / 3) pixels." CVEs fixed in this build: CVE-2019-2201
libjpeg-turbo/libjpeg-turbo#388 libjpeg-turbo/libjpeg-turbo@c30b1e7 "64-bit tjbench: Fix signed int overflow/segfault that occurred when attempting to decompress images with more than 715827882 (2048*1024*1024 / 3) pixels." CVEs fixed in this build: CVE-2019-2201
And possiblty one more (in decoding to yuv). $ ./libjpeg-turbo.github/out/tjbench SIGABRT.PC.7ffff7c613eb.STACK.1a1099b595.CODE.-6.ADDR.\(nil\).INSTR.mov____0x108\(%rsp\)\,%rax.jpg -yuv
Testing YUV planar encoding/decoding
>>>>> JPEG 4:4:4 --> BGR (Top-down) <<<<<
Image size: 1002 x 891
=================================================================
==437402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006080 at pc 0x000000439687 bp 0x7fffd6341f50 sp 0x7fffd6341710
READ of size 1002 at 0x62b000006080 thread T0
#0 0x439686 in memcpy (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x439686)
#1 0x7fbe8f56139b in tjDecompressToYUVPlanes /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1724:11
#2 0x7fbe8f5625c6 in tjDecompressToYUV2 /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1799:10
#3 0x4d28f6 in decomp /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:205:15
#4 0x4cf072 in decompTest /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:712:11
#5 0x4cb6d0 in main /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:1003:5
#6 0x7fbe8f08f1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#7 0x42270d in _start (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x42270d)
0x62b000006080 is located 0 bytes to the right of 24192-byte region [0x62b000000200,0x62b000006080)
allocated by thread T0 here:
#0 0x49a60d in malloc (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x49a60d)
#1 0x7fbe8f5605b6 in tjDecompressToYUVPlanes /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1665:31
#2 0x7fbe8f5625c6 in tjDecompressToYUV2 /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1799:10
#3 0x4d28f6 in decomp /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:205:15
#4 0x4cf072 in decompTest /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:712:11
#5 0x4cb6d0 in main /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:1003:5
#6 0x7fbe8f08f1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x439686) in memcpy
Shadow bytes around the buggy address:
0x0c567fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==437402==ABORTING |
Please:
|
@robertswiecki I just checked in a YUV decoding fix, so try again against the latest code in Git master and file a new issue if the bug is still reproducible. |
@robertswiecki confirmed that the first image you posted (https://user-images.githubusercontent.com/12155236/68846842-f95e7180-06cd-11ea-9207-80b34a91f939.jpg) exhibits a duplicate of #387, which has already been fixed. |
Hi @dcommander , am I doing something wrong here? Btw, the double_free.jpg pic from #378 doesn't crash it. I'll file another bug, and you can close it quickly if I'm doing something incorrectly. $ ( cd libjpeg-turbo/; git reflog )
bd20344 (grafted, HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/libjpeg-turbo/libjpeg-turbo.git
$ ( cd libjpeg-turbo/; git diff origin )
$ ./libjpeg-turbo/out/tjbench-static 68846842-f95e7180-06cd-11ea-9207-80b34a91f939.jpg -yuv
Testing YUV planar encoding/decoding
>>>>> JPEG 4:4:4 --> BGR (Top-down) <<<<<
Image size: 1002 x 891
=================================================================
==136873==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006080 at pc 0x0000004425fe bp 0x7ffd59651cb0 sp 0x7ffd59651460
READ of size 1002 at 0x62b000006080 thread T0
#0 0x4425fd in __interceptor_memcpy.part.40 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4425fd)
#1 0x535324 in tjDecompressToYUVPlanes (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x535324)
#2 0x536609 in tjDecompressToYUV2 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x536609)
#3 0x51f9e3 in decomp (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51f9e3)
#4 0x51be2a in decompTest (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51be2a)
#5 0x518ad3 in main (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x518ad3)
#6 0x7f04c5c6252a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
#7 0x424689 in _start (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x424689)
0x62b000006080 is located 0 bytes to the right of 24192-byte region [0x62b000000200,0x62b000006080)
allocated by thread T0 here:
#0 0x4e0bc0 in malloc (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4e0bc0)
#1 0x5344d5 in tjDecompressToYUVPlanes (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x5344d5)
#2 0x536609 in tjDecompressToYUV2 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x536609)
#3 0x51f9e3 in decomp (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51f9e3)
#4 0x51be2a in decompTest (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51be2a)
#5 0x518ad3 in main (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x518ad3)
#6 0x7f04c5c6252a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4425fd) in __interceptor_memcpy.part.40
Shadow bytes around the buggy address:
0x0c567fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb |
https://build.opensuse.org/request/show/748021 by user dimstar_suse - fix upstream bug 388 [bsc#1156402] - added patches libjpeg-turbo/libjpeg-turbo#388 + libjpeg-turbo-issue-388.patch
https://build.opensuse.org/request/show/789669 by user pgajdos + dimstar_suse - Upate to version 2.0.4: - bug 388 was fixed upstream libjpeg-turbo/libjpeg-turbo#388 - removed patches, as it is included in this release. * Fixed a regression in the Windows packaging system (introduced by 2.0 beta1[2]) whereby, if both the 64-bit libjpeg-turbo SDK for GCC and the 64-bit libjpeg-turbo SDK for Visual C++ were installed on the same system, only one of them could be uninstalled. * Fixed a signed integer overflow and subsequent segfault that occurred when attempting to decompress images with more than 715827882 pixels using the 64-bit C version of TJBench. * Fixed out-of-bounds write in tjDecompressToYUV2() and tjDecompressToYUVPlanes() (sometimes manifesting as a double free) that occurred when attempting to decompress
I was looking at #361 and I think the fix is incomplete (however only affecting tjbench, not the library itself).
If I take the reproducer from the opensuse bugreport (see https://bugzilla.suse.com/show_bug.cgi?id=1156402 ) which can be downloaded here:
https://bugzilla.suse.com/attachment.cgi?id=823816
I still get an integer overflow with ubsan.
I built libjpeg-turbo from the current git code with ubsan with a command line this:
Running tjbench on the file from above:
The text was updated successfully, but these errors were encountered: