Skip to content

NULL Pointer Dereference vulneribility in quantize_ord_dither function of mozjpeg #268

Open
@leonzhao7

Description

@leonzhao7

Command and argument

djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o [infile]

Crash Information

The output of djpeg with address sanitizer enabled

./djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o /root/fuzz/mozjpeg/output/moz-fuzz02/crashes/001-mozjpeg-quantize_ord_dither-536.crash 
Corrupt JPEG data: 94 extraneous bytes before marker 0xdd
ASAN:SIGSEGV
=================================================================
==51824==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fb8a48a9302 bp 0x7ffe5825e380 sp 0x7ffe5825db08 T0)
    #0 0x7fb8a48a9301  (/lib/x86_64-linux-gnu/libc.so.6+0x8f301)
    #1 0x7fb8a4fe7b1e in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cb1e)
    #2 0x7fb8a4cf3736 in jzero_far /root/mozjpeg/jutils.c:132
    #3 0x7fb8a4ce99f7 in quantize_ord_dither /root/mozjpeg/jquant1.c:536
    #4 0x7fb8a4cc2772 in post_process_1pass /root/mozjpeg/jdpostct.c:145
    #5 0x7fb8a4c91f0e in process_data_simple_main /root/mozjpeg/jdmainct.c:311
    #6 0x7fb8a4c6a16c in jpeg_read_scanlines /root/mozjpeg/jdapistd.c:282
    #7 0x404c89 in main /root/mozjpeg/djpeg.c:731
    #8 0x7fb8a483a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4018e8 in _start (/opt/asan/bin/djpeg+0x4018e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==51824==ABORTING

and the second POC file, i think thay should be a same vulneribility.

./djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o /root/fuzz/mozjpeg/output/moz-fuzz02/crashes/002-mozjpeg-quantize_ord_dither-536.crash 
ASAN:SIGSEGV
=================================================================
==43339==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7c8450a9ea bp 0x7ffea3850b70 sp 0x7ffea3850b00 T0)
    #0 0x7f7c8450a9e9 in quantize_ord_dither /root/mozjpeg/jquant1.c:536
    #1 0x7f7c844e3772 in post_process_1pass /root/mozjpeg/jdpostct.c:145
    #2 0x7f7c844b2f0e in process_data_simple_main /root/mozjpeg/jdmainct.c:311
    #3 0x7f7c8448b16c in jpeg_read_scanlines /root/mozjpeg/jdapistd.c:282
    #4 0x7f7c8448b307 in read_and_discard_scanlines /root/mozjpeg/jdapistd.c:316
    #5 0x7f7c8448b4d1 in increment_simple_rowgroup_ctr /root/mozjpeg/jdapistd.c:342
    #6 0x7f7c8448c6d4 in jpeg_skip_scanlines /root/mozjpeg/jdapistd.c:504
    #7 0x404bff in main /root/mozjpeg/djpeg.c:729
    #8 0x7f7c8405b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4018e8 in _start (/opt/asan/bin/djpeg+0x4018e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/mozjpeg/jquant1.c:536 quantize_ord_dither
==43339==ABORTING

POC file

mozjpeg-quantize_ord_dither-crash.zip

CREDIT

Zhao Liang, Huawei Weiran Labs

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions