-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
splines: segfault due to out of bounds access of segment array #735
Comments
Good catch! Spline rendering was recently optimized, so this is probably a result of that. @veluca93 is there an earlier point where this can be prevented? Otherwise the suggested fix looks good enough, at least as a quick patch. Should probably backport it to the 0.6 branch too, decoder segfault is a rather severe bug after all. |
image_rect.y0() really ought to be smaller than segment_y_start_ in all cases, it is probably better to fix that... @sboukortt too |
Not yet fully sure what is happening but |
Fixes libjxl#735. (cherry picked from commit 0eff04c) (cherry picked from PR libjxl#757)
Note: This bug got assigned CVE-2021-22563 |
@lovell Please let me know if you would like to be credited in the CVE description and how (name, company affiliation, etc). |
@deymo I'm happy for my name to appear but please ensure libvips is credited too as its fuzzers found this. If there's a bounty, please donate this to https://opencollective.com/libvips |
Thanks. We don't have bug bounty for libjxl. |
Hello, this 161 byte JPEG-XL image, found via fuzz testing, causes a segfault during decoding (using the latest commit on the
main
branch).https://github.com/libjxl/libjxl/files/7348994/fuzz39533.jxl.txt
It looks like, when drawing spline segments,
segment_y_start
for this image contains 253 entries butimage_rect.y0()
can return higher values fory
that result inDrawSegment()
reading beyond the end of this.libjxl/lib/jxl/splines.cc
Lines 149 to 153 in 795ba9c
The following patch to
Apply()
demonstrates a possible guard to prevent the segfault, but there's almost certainly a better way to fix this.The text was updated successfully, but these errors were encountered: