bugzilla-daemon at freedesktop.org
2008-Sep-15 16:00 UTC
[Swfdec] [Bug 17589] New: dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589
Summary: dsjpeg Huffman table parser validation error.
Product: swfdec
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: library
AssignedTo: swfdec at lists.freedesktop.org
ReportedBy: jpihlaja at cc.helsinki.fi
QAContact: swfdec at lists.freedesktop.org
Created an attachment (id=18885)
--> (http://bugs.freedesktop.org/attachment.cgi?id=18885)
trigger a buffer overflow in the DHT marker handler.
dsjpeg can be tricked into overflowing its internal Huffman table arrays.
Valgrind says of the attached test case:
==31295== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==31295== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation
framework.
==31295== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==31295== For more details, rerun with: -v
==31295===31295== Invalid write of size 1
==31295== at 0x40382C: huffman_table_add (jpeg_huffman.c:48)
==31295== by 0x401B59: huffman_table_init_jpeg (jpeg.c:273)
==31295== by 0x402B8C: jpeg_decoder_define_huffman_tables (jpeg.c:751)
==31295== by 0x4028D9: jpeg_decoder_decode (jpeg.c:672)
==31295== by 0x403C24: jpeg_decode_argb (jpeg_rgb_decoder.c:58)
==31295== by 0x400DB0: main (load.c:46)
==31295== Address 0x537B434 is 12 bytes after a block of size 43,984
alloc'd
==31295== at 0x4A1B858: malloc (vg_replace_malloc.c:149)
==31295== by 0x40245F: jpeg_decoder_new (jpeg.c:535)
==31295== by 0x403C07: jpeg_decode_argb (jpeg_rgb_decoder.c:55)
==31295== by 0x400DB0: main (load.c:46)
==31295===31295== Invalid write of size 4
==31295== at 0x403844: huffman_table_add (jpeg_huffman.c:49)
==31295== by 0x401B59: huffman_table_init_jpeg (jpeg.c:273)
[snip]
When run without valgrind this test case causes glibc to abort on x86-64:
*** glibc detected *** free(): invalid pointer: 0x0000000000512f40 ***
error: decoder error: bad huffsize[] arrayAborted
On x86-32 the test causes dsjpeg to error out with a message "bad
huffsize[]
array" seemingly intact, but note that the bug isn't 64 bit specific.
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-16 07:41 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589
Riccardo Magliocchetti <riccardo at datahost.it> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |critical
--- Comment #1 from Riccardo Magliocchetti <riccardo at datahost.it>
2008-09-16 00:41:56 PST ---
Adjusted the severity. I think the fastest we switch to ijg jpeg the better.
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-21 16:20 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589 --- Comment #2 from Riccardo Magliocchetti <riccardo at datahost.it> 2008-09-21 09:20:35 PST --- Created an attachment (id=19067) --> (http://bugs.freedesktop.org/attachment.cgi?id=19067) don't overflow huffmantable entries array This fix the issue for me, thanks Joonas for sharing the fun ;) -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-21 17:28 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589 --- Comment #3 from Riccardo Magliocchetti <riccardo at datahost.it> 2008-09-21 10:28:57 PST --- Created an attachment (id=19069) --> (http://bugs.freedesktop.org/attachment.cgi?id=19069) missing free for error_message Noticed while testing the patch, the buffer used for reporting the error message was never freed. -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-24 16:39 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589
Benjamin Otte <otte at gnome.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #4 from Benjamin Otte <otte at gnome.org> 2008-09-24 09:39:48
PST ---
fixed in git master (and soon) 0.8
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.