Bug 17589 - dsjpeg Huffman table parser validation error.
Summary: dsjpeg Huffman table parser validation error.
Status: RESOLVED FIXED
Alias: None
Product: swfdec
Classification: Unclassified
Component: library (show other bugs)
Version: unspecified
Hardware: All All
: medium critical
Assignee: swfdec ml
QA Contact: swfdec ml
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-15 09:00 UTC by M Joonas Pihlaja
Modified: 2008-09-24 09:39 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
trigger a buffer overflow in the DHT marker handler. (2.28 KB, image/jpeg)
2008-09-15 09:00 UTC, M Joonas Pihlaja 		Details
don't overflow huffmantable entries array (604 bytes, patch)
2008-09-21 09:20 UTC, Riccardo Magliocchetti 		Details | Splinter Review
missing free for error_message (392 bytes, patch)
2008-09-21 10:28 UTC, Riccardo Magliocchetti 		Details | Splinter Review
View All

Description M Joonas Pihlaja 2008-09-15 09:00:06 UTC 
Created attachment 18885 [details]
trigger a buffer overflow in the DHT marker handler.

dsjpeg can be tricked into overflowing its internal Huffman table arrays.  Valgrind says of the attached test case:

==31295== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==31295== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation framework.
==31295== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==31295== For more details, rerun with: -v
==31295==
==31295== Invalid write of size 1
==31295==    at 0x40382C: huffman_table_add (jpeg_huffman.c:48)
==31295==    by 0x401B59: huffman_table_init_jpeg (jpeg.c:273)
==31295==    by 0x402B8C: jpeg_decoder_define_huffman_tables (jpeg.c:751)
==31295==    by 0x4028D9: jpeg_decoder_decode (jpeg.c:672)
==31295==    by 0x403C24: jpeg_decode_argb (jpeg_rgb_decoder.c:58)
==31295==    by 0x400DB0: main (load.c:46)
==31295==  Address 0x537B434 is 12 bytes after a block of size 43,984 alloc'd
==31295==    at 0x4A1B858: malloc (vg_replace_malloc.c:149)
==31295==    by 0x40245F: jpeg_decoder_new (jpeg.c:535)
==31295==    by 0x403C07: jpeg_decode_argb (jpeg_rgb_decoder.c:55)
==31295==    by 0x400DB0: main (load.c:46)
==31295==
==31295== Invalid write of size 4
==31295==    at 0x403844: huffman_table_add (jpeg_huffman.c:49)
==31295==    by 0x401B59: huffman_table_init_jpeg (jpeg.c:273)
[snip]

When run without valgrind this test case causes glibc to abort on x86-64:

*** glibc detected *** free(): invalid pointer: 0x0000000000512f40 ***
error: decoder error: bad huffsize[] arrayAborted

On x86-32 the test causes dsjpeg to error out with a message "bad huffsize[] array" seemingly intact, but note that the bug isn't 64 bit specific.
Comment 1 Riccardo Magliocchetti 2008-09-16 00:41:56 UTC 
Adjusted the severity. I think the fastest we switch to ijg jpeg the better.
Comment 2 Riccardo Magliocchetti 2008-09-21 09:20:35 UTC 
Created attachment 19067 [details] [review]
don't overflow huffmantable entries array

This fix the issue for me, thanks Joonas for sharing the fun ;)
Comment 3 Riccardo Magliocchetti 2008-09-21 10:28:57 UTC 
Created attachment 19069 [details] [review]
missing free for error_message

Noticed while testing the patch, the buffer used for reporting the error message was never freed.
Comment 4 Benjamin Otte 2008-09-24 09:39:48 UTC 
fixed in git master (and soon) 0.8

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.