Skip to content

Assert failure in jxl::LowMemoryRenderPipeline::Init #1477

Closed
@sleicasper

Description

desc

There is a assert failure in libjxl before version 0.6.1 that could cause deny of service attack.

asan output

./lib/jxl/render_pipeline/low_memory_render_pipeline.cc:312: JXL_ASSERT: first_image_dim_stage_ == stages_.size() || i >= first_image_dim_stage_
    #0 0x558c6d05047e in __sanitizer_print_stack_trace /fuzz/fuzzdeps/llvm-project-11.0.0/compiler-rt/lib/asan/asan_stack.cpp:86:3
    #1 0x7fd128ed84b8 in jxl::Abort() /libjxl/SRC/lib/jxl/base/status.h:132:3
    #2 0x7fd12976cc2b in jxl::LowMemoryRenderPipeline::Init() /libjxl/SRC/lib/jxl/render_pipeline/low_memory_render_pipeline.cc:311:9
    #3 0x7fd12978248d in jxl::RenderPipeline::Builder::Finalize(jxl::FrameDimensions) && /libjxl/SRC/lib/jxl/render_pipeline/render_pipeline.cc:91:8
    #4 0x7fd1293a62af in jxl::PassesDecoderState::PreparePipeline(jxl::ImageBundle*, jxl::PassesDecoderState::PipelineOptions) /libjxl/SRC/lib/jxl/dec_cache.cc:198:40
    #5 0x7fd1293c5964 in jxl::FrameDecoder::ProcessSections(jxl::FrameDecoder::SectionInfo const*, unsigned long, jxl::FrameDecoder::SectionStatus*) /libjxl/SRC/lib/jxl/dec_frame.cc:775:5
    #6 0x7fd1295aa44a in jxl::(anonymous namespace)::JxlDecoderProcessCodestream(JxlDecoderStruct*, unsigned char const*, unsigned long) /libjxl/SRC/lib/jxl/decode.cc:1555:27
    #7 0x7fd1295aa44a in HandleBoxes(JxlDecoderStruct*) /libjxl/SRC/lib/jxl/decode.cc:2079:11
    #8 0x7fd1295a25da in JxlDecoderProcessInput /libjxl/SRC/lib/jxl/decode.cc:2251:29
    #9 0x558c6d07ed4a in DecodeJpegXlOneShot(unsigned char const*, unsigned long, std::vector<float, std::allocator<float> >*, unsigned long*, unsigned long*, std::vector<unsigned char, std::allocator<unsigned char> >*) /libjxl/SRC/examples/decode_oneshot.cc:58:31
    #10 0x558c6d080317 in main /libjxl/SRC/examples/decode_oneshot.cc:233:8
    #11 0x7fd12892b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x558c6cfa152d in _start (/libjxl/fuzzrun/decode_oneshot+0x1f52d)

[1]    888096 illegal hardware instruction  ./decode_oneshot /tmp/poc /dev/null /dev/null

reproduce

  • compile libjxl with address sanitizer
  • run ./decode_oneshot ./poc /dev/null /dev/null

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions