SEGV on specially crafted JPEG - 11f6acf7 #141

Closed
jodiecunningham opened this Issue Dec 29, 2014 · 3 comments

Projects

None yet

4 participants

@jodiecunningham
Contributor

Hi Mozilla Team,

Through some fuzzing with AFL I found that cjpeg from mozjpeg 2.1 would SEGV on this 33-byte JPEG.

Github wouldn't let me attach it (oops)
https://www.dropbox.com/s/g1dl3knukp2nopq/11f6acf7?dl=0

To reproduce:
cjpeg -quality 50 -outfile /dev/null 11f6acf7

Gdb output:

**
** Process info for ../../.libs/lt-cjpeg - ./core-lt-cjpeg17081-1419862822 
** Generated Mon Dec 29 08:20:34 CST 2014
**
** -rwxrwxr-x 1 jodicun jodicun 248316 Dec 28 16:17 ../../.libs/lt-cjpeg 
** -rw------- 1 jodicun jodicun 1204224 Dec 29 08:20 ./core-lt-cjpeg17081-1419862822
**
[New LWP 17081]
Core was generated by `/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg -quality 50 -outfile /dev/null ../'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000040e2d6 in get_text_rgb_row (cinfo=0x7fffffffcd30, sinfo=<optimized out>) at rdppm.c:171
171     *ptr++ = rescale[read_pbm_integer(cinfo, infile)];
#0  0x000000000040e2d6 in get_text_rgb_row (cinfo=0x7fffffffcd30, sinfo=<optimized out>) at rdppm.c:171
#1  0x000000000040240e in main (argc=<optimized out>, argv=<optimized out>) at cjpeg.c:741
#2  0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
#3  0x0000000000402d9d in _start ()
exe = '/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg -quality 50 -outfile /dev/null ../'
*
* Libraries 
*
From                To                  Syms Read   Shared Object Library
0x00007ffff7a71020  0x00007ffff7baeb90  Yes         /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff76c64a0  0x00007ffff780c003  Yes         /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff73a6610  0x00007ffff74151b6  Yes         /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff7ddaae0  0x00007ffff7df54e0  Yes         /lib64/ld-linux-x86-64.so.2
*
* Memory map 
*
Symbols from "/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg".
Local core dump file:
    `/home/jodicun/opt/mozjpeg-2.1/out20141228/cores/./core-lt-cjpeg17081-1419862822', file type elf64-x86-64.
    0x0000000000400000 - 0x0000000000401000 is load1a
    0x0000000000401000 - 0x0000000000401000 is load1b
    0x0000000000619000 - 0x000000000061a000 is load2
    0x000000000061a000 - 0x000000000061b000 is load3
    0x000000000061b000 - 0x0000000000691000 is load4
    0x00007ffff73a1000 - 0x00007ffff73a2000 is load5a
    0x00007ffff73a2000 - 0x00007ffff73a2000 is load5b
    0x00007ffff74a6000 - 0x00007ffff74a6000 is load6
    0x00007ffff76a5000 - 0x00007ffff76a6000 is load7
    0x00007ffff76a6000 - 0x00007ffff76a7000 is load8
    0x00007ffff76a7000 - 0x00007ffff76a8000 is load9a
    0x00007ffff76a8000 - 0x00007ffff76a8000 is load9b
    0x00007ffff7862000 - 0x00007ffff7862000 is load10
    0x00007ffff7a62000 - 0x00007ffff7a66000 is load11
    0x00007ffff7a66000 - 0x00007ffff7a68000 is load12
    0x00007ffff7a68000 - 0x00007ffff7a6d000 is load13
    0x00007ffff7a6d000 - 0x00007ffff7a6e000 is load14a
    0x00007ffff7a6e000 - 0x00007ffff7a6e000 is load14b
    0x00007ffff7bd8000 - 0x00007ffff7bd8000 is load15
    0x00007ffff7dd8000 - 0x00007ffff7dd9000 is load16
    0x00007ffff7dd9000 - 0x00007ffff7dda000 is load17
    0x00007ffff7dda000 - 0x00007ffff7ddb000 is load18a
    0x00007ffff7ddb000 - 0x00007ffff7ddb000 is load18b
    0x00007ffff7f7f000 - 0x00007ffff7fec000 is load19
    0x00007ffff7ff7000 - 0x00007ffff7ffa000 is load20
    0x00007ffff7ffa000 - 0x00007ffff7ffc000 is load21
    0x00007ffff7ffc000 - 0x00007ffff7ffd000 is load22
    0x00007ffff7ffd000 - 0x00007ffff7ffe000 is load23
    0x00007ffff7ffe000 - 0x00007ffff7fff000 is load24
    0x00007ffffffdd000 - 0x00007ffffffff000 is load25
    0xffffffffff600000 - 0xffffffffff601000 is load26
Local exec file:
    `/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg', file type elf64-x86-64.
    Entry point: 0x402d74
    0x0000000000400238 - 0x0000000000400254 is .interp
    0x0000000000400254 - 0x0000000000400274 is .note.ABI-tag
    0x0000000000400274 - 0x0000000000400298 is .note.gnu.build-id
    0x0000000000400298 - 0x00000000004002d4 is .gnu.hash
    0x00000000004002d8 - 0x0000000000400890 is .dynsym
    0x0000000000400890 - 0x0000000000400c7e is .dynstr
    0x0000000000400c7e - 0x0000000000400cf8 is .gnu.version
    0x0000000000400cf8 - 0x0000000000400d98 is .gnu.version_r
    0x0000000000400d98 - 0x0000000000400df8 is .rela.dyn
    0x0000000000400df8 - 0x00000000004012c0 is .rela.plt
    0x00000000004012c0 - 0x00000000004012da is .init
    0x00000000004012e0 - 0x0000000000401620 is .plt
    0x0000000000401620 - 0x0000000000416b72 is .text
    0x0000000000416b74 - 0x0000000000416b7d is .fini
    0x0000000000416b80 - 0x0000000000418340 is .rodata
    0x0000000000418340 - 0x00000000004184e4 is .eh_frame_hdr
    0x00000000004184e8 - 0x0000000000418fec is .eh_frame
    0x0000000000619df0 - 0x0000000000619df8 is .init_array
    0x0000000000619df8 - 0x0000000000619e00 is .fini_array
    0x0000000000619e00 - 0x0000000000619e08 is .jcr
    0x0000000000619e08 - 0x0000000000619ff8 is .dynamic
    0x0000000000619ff8 - 0x000000000061a000 is .got
    0x000000000061a000 - 0x000000000061a1b0 is .got.plt
    0x000000000061a1b0 - 0x000000000061a1d0 is .data
    0x000000000061a1d0 - 0x000000000061a348 is .bss
    0x00007ffff7a6d1c8 - 0x00007ffff7a6d1ec is .note.gnu.build-id in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a6d1f0 - 0x00007ffff7a6d608 is .gnu.hash in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a6d608 - 0x00007ffff7a6e508 is .dynsym in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a6e508 - 0x00007ffff7a6efc8 is .dynstr in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a6efc8 - 0x00007ffff7a6f108 is .gnu.version in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a6f108 - 0x00007ffff7a6f15c is .gnu.version_d in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a6f160 - 0x00007ffff7a6f1e0 is .gnu.version_r in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a6f1e0 - 0x00007ffff7a70230 is .rela.dyn in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a70230 - 0x00007ffff7a70a70 is .rela.plt in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a70a70 - 0x00007ffff7a70a8a is .init in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a70a90 - 0x00007ffff7a71020 is .plt in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7a71020 - 0x00007ffff7baeb90 is .text in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7baeb90 - 0x00007ffff7baeb99 is .fini in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7baeba0 - 0x00007ffff7bd1f90 is .rodata in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7bd1f90 - 0x00007ffff7bd2b0c is .eh_frame_hdr in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7bd2b10 - 0x00007ffff7bd7b54 is .eh_frame in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd8878 - 0x00007ffff7dd8880 is .init_array in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd8880 - 0x00007ffff7dd8888 is .fini_array in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd8888 - 0x00007ffff7dd8890 is .jcr in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd88a0 - 0x00007ffff7dd8ca0 is .data.rel.ro in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd8ca0 - 0x00007ffff7dd8ea0 is .dynamic in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd8ea0 - 0x00007ffff7dd9000 is .got in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd9000 - 0x00007ffff7dd92d8 is .got.plt in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd92d8 - 0x00007ffff7dd92e0 is .data in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff7dd92e0 - 0x00007ffff7dd9910 is .bss in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
    0x00007ffff76a7270 - 0x00007ffff76a7294 is .note.gnu.build-id in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76a7294 - 0x00007ffff76a72b4 is .note.ABI-tag in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76a72b8 - 0x00007ffff76aad24 is .gnu.hash in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76aad28 - 0x00007ffff76b7d78 is .dynsym in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76b7d78 - 0x00007ffff76bd64e is .dynstr in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76bd64e - 0x00007ffff76be7aa is .gnu.version in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76be7b0 - 0x00007ffff76beadc is .gnu.version_d in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76beae0 - 0x00007ffff76beb10 is .gnu.version_r in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76beb10 - 0x00007ffff76c62b0 is .rela.dyn in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76c62b0 - 0x00007ffff76c63d0 is .rela.plt in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76c63d0 - 0x00007ffff76c64a0 is .plt in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff76c64a0 - 0x00007ffff780c003 is .text in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff780c010 - 0x00007ffff780da0d is __libc_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff780da10 - 0x00007ffff780dc92 is __libc_thread_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff780dca0 - 0x00007ffff782f9b0 is .rodata in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff782f9b0 - 0x00007ffff782f9cc is .interp in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff782f9cc - 0x00007ffff78360d0 is .eh_frame_hdr in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff78360d0 - 0x00007ffff785e424 is .eh_frame in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff785e424 - 0x00007ffff785e7ed is .gcc_except_table in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff785e7f0 - 0x00007ffff7861a94 is .hash in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a62740 - 0x00007ffff7a62750 is .tdata in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a62750 - 0x00007ffff7a627f0 is .tbss in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a62750 - 0x00007ffff7a62760 is .init_array in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a62760 - 0x00007ffff7a62850 is __libc_subfreeres in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a62850 - 0x00007ffff7a62858 is __libc_atexit in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a62858 - 0x00007ffff7a62878 is __libc_thread_subfreeres in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a62880 - 0x00007ffff7a65ba0 is .data.rel.ro in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a65ba0 - 0x00007ffff7a65d80 is .dynamic in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a65d80 - 0x00007ffff7a65ff8 is .got in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a66000 - 0x00007ffff7a66078 is .got.plt in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a66080 - 0x00007ffff7a678a0 is .data in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff7a678a0 - 0x00007ffff7a6c2c0 is .bss in /lib/x86_64-linux-gnu/libc.so.6
    0x00007ffff73a1238 - 0x00007ffff73a125c is .note.gnu.build-id in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a125c - 0x00007ffff73a127c is .note.ABI-tag in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a1280 - 0x00007ffff73a274c is .gnu.hash in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a2750 - 0x00007ffff73a4f10 is .dynsym in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a4f10 - 0x00007ffff73a5be4 is .dynstr in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a5be4 - 0x00007ffff73a5f34 is .gnu.version in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a5f38 - 0x00007ffff73a5fdc is .gnu.version_d in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a5fe0 - 0x00007ffff73a6010 is .gnu.version_r in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a6010 - 0x00007ffff73a6130 is .rela.dyn in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a6130 - 0x00007ffff73a6400 is .rela.plt in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a6400 - 0x00007ffff73a641a is .init in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a6420 - 0x00007ffff73a6610 is .plt in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff73a6610 - 0x00007ffff74151b6 is .text in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff74151b8 - 0x00007ffff74151c1 is .fini in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff74151e0 - 0x00007ffff749d064 is .rodata in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff749d070 - 0x00007ffff749d08c is .interp in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff749d08c - 0x00007ffff749e2f8 is .eh_frame_hdr in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff749e2f8 - 0x00007ffff74a409c is .eh_frame in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff74a40a0 - 0x00007ffff74a542c is .hash in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a5d90 - 0x00007ffff76a5d98 is .init_array in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a5d98 - 0x00007ffff76a5da0 is .fini_array in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a5da0 - 0x00007ffff76a5da8 is .jcr in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a5da8 - 0x00007ffff76a5fb8 is .dynamic in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a5fb8 - 0x00007ffff76a6000 is .got in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a6000 - 0x00007ffff76a6108 is .got.plt in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a6108 - 0x00007ffff76a611c is .data in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff76a6120 - 0x00007ffff76a6168 is .bss in /lib/x86_64-linux-gnu/libm.so.6
    0x00007ffff7dda1c8 - 0x00007ffff7dda1ec is .note.gnu.build-id in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda1f0 - 0x00007ffff7dda2ac is .hash in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda2b0 - 0x00007ffff7dda38c is .gnu.hash in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda390 - 0x00007ffff7dda630 is .dynsym in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda630 - 0x00007ffff7dda7c4 is .dynstr in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda7c4 - 0x00007ffff7dda7fc is .gnu.version in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda800 - 0x00007ffff7dda8a4 is .gnu.version_d in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda8a8 - 0x00007ffff7dda9e0 is .rela.dyn in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7dda9e0 - 0x00007ffff7ddaa70 is .rela.plt in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ddaa70 - 0x00007ffff7ddaae0 is .plt in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ddaae0 - 0x00007ffff7df54e0 is .text in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7df54e0 - 0x00007ffff7df97e0 is .rodata in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7df97e0 - 0x00007ffff7df9e1c is .eh_frame_hdr in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7df9e20 - 0x00007ffff7dfc178 is .eh_frame in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ffcc00 - 0x00007ffff7ffce6c is .data.rel.ro in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ffce70 - 0x00007ffff7ffcfe0 is .dynamic in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ffcfe0 - 0x00007ffff7ffcff8 is .got in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ffd000 - 0x00007ffff7ffd048 is .got.plt in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ffd060 - 0x00007ffff7ffdfe4 is .data in /lib64/ld-linux-x86-64.so.2
    0x00007ffff7ffe000 - 0x00007ffff7ffe1c8 is .bss in /lib64/ld-linux-x86-64.so.2
*
* Registers 
*
rax            0xe4adb  936667
rbx            0x6207d3 6424531
rcx            0x46 70
rdx            0x76 118
rsi            0xe4adb  936667
rdi            0x61c420 6407200
rbp            0x7fffffffcd30   0x7fffffffcd30
rsp            0x7fffffffcc10   0x7fffffffcc10
r8             0x7ffff7fe9740   140737354045248
r9             0x61e330 6415152
r10            0x85 133
r11            0x0  0
r12            0x61c420 6407200
r13            0x61c930 6408496
r14            0x6207d0 6424528
r15            0x6255f1 6444529
rip            0x40e2d6 0x40e2d6 <get_text_rgb_row+142>
eflags         0x10206  [ PF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
*
* Current instructions 
*
=> 0x40e2d6 <get_text_rgb_row+142>: movzbl 0x0(%r13,%rsi,1),%edi
   0x40e2dc <get_text_rgb_row+148>: mov    %r12,%rsi
   0x40e2df <get_text_rgb_row+151>: mov    %dil,(%r14)
   0x40e2e2 <get_text_rgb_row+154>: mov    %rbp,%rdi
   0x40e2e5 <get_text_rgb_row+157>: callq  0x40cb00 <read_pbm_integer>
   0x40e2ea <get_text_rgb_row+162>: mov    %eax,%r8d
   0x40e2ed <get_text_rgb_row+165>: mov    %r12,%rsi
   0x40e2f0 <get_text_rgb_row+168>: mov    %rbp,%rdi
   0x40e2f3 <get_text_rgb_row+171>: movzbl 0x0(%r13,%r8,1),%r9d
   0x40e2f9 <get_text_rgb_row+177>: mov    %r9b,0x1(%r14)
   0x40e2fd <get_text_rgb_row+181>: callq  0x40cb00 <read_pbm_integer>
   0x40e302 <get_text_rgb_row+186>: mov    %eax,%r10d
   0x40e305 <get_text_rgb_row+189>: cmp    %rbx,%r15
   0x40e308 <get_text_rgb_row+192>: mov    0x8(%rsp),%rax
   0x40e30d <get_text_rgb_row+197>: movzbl 0x0(%r13,%r10,1),%r11d
   0x40e313 <get_text_rgb_row+203>: mov    %r11b,-0x1(%rbx)
*
* Threads (full) 
*
  Id   Target Id         Frame 
* 1    LWP 17081         0x000000000040e2d6 in get_text_rgb_row (cinfo=0x7fffffffcd30, sinfo=<optimized out>) at rdppm.c:171
#0  0x000000000040e2d6 in get_text_rgb_row (cinfo=0x7fffffffcd30, sinfo=<optimized out>) at rdppm.c:171
#1  0x000000000040240e in main (argc=<optimized out>, argv=<optimized out>) at cjpeg.c:741
#2  0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
#3  0x0000000000402d9d in _start ()

Thread 1 (LWP 17081):
#0  0x000000000040e2d6 in get_text_rgb_row (cinfo=0x7fffffffcd30, sinfo=<optimized out>) at rdppm.c:171
        source = <optimized out>
        infile = 0x61c420
        ptr = 0x6207d1 ""
        rescale = 0x61c930 ""
        col = <optimized out>
#1  0x000000000040240e in main (argc=<optimized out>, argv=<optimized out>) at cjpeg.c:741
        cinfo = {err = 0x7fffffffcc80, mem = 0x61b010, progress = 0x0, client_data = 0x0, is_decompressor = 0, global_state = 101, dest = 0x61ba40, image_width = 6667, image_height = 6, input_components = 3, in_color_space = JCS_RGB, input_gamma = 1, data_precision = 8, num_components = 3, jpeg_color_space = JCS_YCbCr, comp_info = 0x61b0e0, quant_tbl_ptrs = {0x61b4a0, 0x61b530, 0x0, 0x0}, dc_huff_tbl_ptrs = {0x61b5c0, 0x61b800, 0x0, 0x0}, ac_huff_tbl_ptrs = {0x61b6e0, 0x61b920, 0x0, 0x0}, arith_dc_L = '\000' <repeats 15 times>, arith_dc_U = '\001' <repeats 16 times>, arith_ac_K = '\005' <repeats 16 times>, num_scans = 64, scan_info = 0x61bb10, raw_data_in = 0, arith_code = 0, optimize_coding = 1, CCIR601_sampling = 0, smoothing_factor = 0, dct_method = JDCT_ISLOW, use_moz_defaults = 1, optimize_scans = 1, one_dc_scan = 1, trellis_quant = 1, trellis_eob_opt = 0, use_flat_quant_tbl = 0, use_lambda_weight_tbl = 1, use_scans_in_trellis = 0, trellis_passes = 1, trellis_q_opt = 0, norm_src = {{0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}}, norm_coef = {{0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}}, trellis_freq_split = 8, trellis_num_loops = 1, num_scans_luma = 23, num_scans_luma_dc = 1, num_scans_chroma_dc = 3, num_frequency_splits = 5, Al_max_luma = 3, Al_max_chroma = 2, lambda_log_scale1 = 16, lambda_log_scale2 = 15.5, restart_interval = 0, restart_in_rows = 0, write_JFIF_header = 1, JFIF_major_version = 1 '\001', JFIF_minor_version = 1 '\001', density_unit = 0 '\000', X_density = 1, Y_density = 1, write_Adobe_marker = 0, next_scanline = 0, progressive_mode = 1, max_h_samp_factor = 2, max_v_samp_factor = 2, total_iMCU_rows = 1, comps_in_scan = 1, cur_comp_info = {0x61b0e0, 0x0, 0x0, 0x0}, MCUs_per_row = 834, MCU_rows_in_scan = 1, blocks_in_MCU = 1, MCU_membership = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, Ss = 1, Se = 63, Ah = 0, Al = 0, master = 0x61dbd0, main = 0x61e800, prep = 0x61e0c0, coef = 0x61e330, marker = 0x61e970, cconvert = 0x61e030, downsample = 0x61e050, fdct = 0x61e160, entropy = 0x61e270, script_space = 0x61bb10, script_space_size = 64}
        jerr = {error_exit = 0x7ffff7b6b3e0 <error_exit>, emit_message = 0x7ffff7b6ac00 <emit_message>, output_message = 0x7ffff7b6b2c0 <output_message>, format_message = 0x7ffff7b6ae40 <format_message>, reset_error_mgr = 0x7ffff7b6adf0 <reset_error_mgr>, msg_code = 0, msg_parm = {i = {6667, 6, 0, 0, 0, 0, 0, 0}, s = "\v\032\000\000\006", '\000' <repeats 74 times>}, trace_level = 0, num_warnings = 0, jpeg_message_table = 0x7ffff7dd88a0 <jpeg_std_message_table>, last_jpeg_message = 126, addon_message_table = 0x417d00 <cdjpeg_message_table>, first_addon_message = 1000, last_addon_message = 1044}
        file_index = <optimized out>
        input_file = 0x61c420
        output_file = 0x61c660
        outbuffer = 0x0
        outsize = 0
        num_scanlines = <optimized out>
#2  0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 1709954866805970842, 4205940, 140737488347280, 0, 0, -1709954865726515302, -1709938229730240614}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x416b00 <__libc_csu_init>, 0x7fffffffe098}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4287232}}}
        not_first_call = <optimized out>
#3  0x0000000000402d9d in _start ()
No symbol table info available.
*
* Threads (basic) 
*
  Id   Target Id         Frame 
* 1    LWP 17081         0x000000000040e2d6 in get_text_rgb_row (cinfo=0x7fffffffcd30, sinfo=<optimized out>) at rdppm.c:171

Thread 1 (LWP 17081):
#0  0x000000000040e2d6 in get_text_rgb_row (cinfo=0x7fffffffcd30, sinfo=<optimized out>) at rdppm.c:171
#1  0x000000000040240e in main (argc=<optimized out>, argv=<optimized out>) at cjpeg.c:741
#2  0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
#3  0x0000000000402d9d in _start ()
*
* Done 
*

System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

Found with the fuzzer American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )

@bdaehlie bdaehlie added this to the v3.0 milestone Dec 29, 2014
@fbossen fbossen was assigned by bdaehlie Dec 29, 2014
@pornel
Member
pornel commented Dec 29, 2014

Uploaded the JPEG: 11f6acf7

@fbossen
Contributor
fbossen commented Dec 29, 2014

I am getting a "Premature end of input file" error with the given input (using OS X 10.10.1).
@pornel Can you confirm that the md5 checksum of the input file is 0d43b67c0063b13bc24ac937a0ff7b3a ?

@jodiecunningham
Contributor

Confirmed md5 sum from my end.

$ md5sum mozjpeg/11f6acf7 
0d43b67c0063b13bc24ac937a0ff7b3a  mozjpeg/11f6acf7
$ md5sum a2d91ef8-8f6f-11e4-8bc6-722bf41c3f73.jpg 
0d43b67c0063b13bc24ac937a0ff7b3a  a2d91ef8-8f6f-11e4-8bc6-722bf41c3f73.jpg

I wouldn't be surprised to see it exit gracefully on OSX, Windows, Solaris or FreeBSD. Sometimes I run into issues that are compiler or library specific.

@fbossen fbossen added a commit that closed this issue Dec 29, 2014
@fbossen fbossen Check range of integer values in PPM text file
Add checks in PPM text file reading to make sure values are within the
specified range.
Fixes #141
5ba6c7e
@fbossen fbossen closed this in 5ba6c7e Dec 29, 2014
@pornel pornel referenced this issue in libjpeg-turbo/libjpeg-turbo Aug 7, 2015
Closed

Check range of integer values in PPM text file #8

@dcommander dcommander referenced this issue in pornel/libjpeg-turbo Aug 14, 2015
@fbossen @pornel fbossen + pornel Check range of integer values in PPM text file
Add checks in PPM text file reading to make sure values are within the
specified range.
a83a9fa
@dcommander dcommander added a commit to libjpeg-turbo/libjpeg-turbo that referenced this issue Aug 14, 2015
@fbossen @dcommander fbossen + dcommander Check range of integer values in PPM text file
Add checks to ensure values are within the specified range.

Fixes mozilla/mozjpeg#141, closes PR #8
8073808
@7er 7er pushed a commit to imazen/libjpeg-turbo that referenced this issue Sep 17, 2015
@fbossen @dcommander fbossen + dcommander Check range of integer values in PPM text file
Add checks to ensure values are within the specified range.

Fixes mozilla/mozjpeg#141, closes #8
f7e21f0
@nathanaeljones nathanaeljones pushed a commit to imazen/libjpegturbo that referenced this issue Oct 12, 2015
@fbossen @dcommander fbossen + dcommander Check range of integer values in PPM text file
Add checks to ensure values are within the specified range.

Fixes mozilla/mozjpeg#141, closes #8
6709e4a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment