bugzilla-daemon at freedesktop.org
2008-Sep-15 16:00 UTC
[Swfdec] [Bug 17589] New: dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589 Summary: dsjpeg Huffman table parser validation error. Product: swfdec Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: medium Component: library AssignedTo: swfdec at lists.freedesktop.org ReportedBy: jpihlaja at cc.helsinki.fi QAContact: swfdec at lists.freedesktop.org Created an attachment (id=18885) --> (http://bugs.freedesktop.org/attachment.cgi?id=18885) trigger a buffer overflow in the DHT marker handler. dsjpeg can be tricked into overflowing its internal Huffman table arrays. Valgrind says of the attached test case: ==31295== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP. ==31295== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation framework. ==31295== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al. ==31295== For more details, rerun with: -v ==31295===31295== Invalid write of size 1 ==31295== at 0x40382C: huffman_table_add (jpeg_huffman.c:48) ==31295== by 0x401B59: huffman_table_init_jpeg (jpeg.c:273) ==31295== by 0x402B8C: jpeg_decoder_define_huffman_tables (jpeg.c:751) ==31295== by 0x4028D9: jpeg_decoder_decode (jpeg.c:672) ==31295== by 0x403C24: jpeg_decode_argb (jpeg_rgb_decoder.c:58) ==31295== by 0x400DB0: main (load.c:46) ==31295== Address 0x537B434 is 12 bytes after a block of size 43,984 alloc'd ==31295== at 0x4A1B858: malloc (vg_replace_malloc.c:149) ==31295== by 0x40245F: jpeg_decoder_new (jpeg.c:535) ==31295== by 0x403C07: jpeg_decode_argb (jpeg_rgb_decoder.c:55) ==31295== by 0x400DB0: main (load.c:46) ==31295===31295== Invalid write of size 4 ==31295== at 0x403844: huffman_table_add (jpeg_huffman.c:49) ==31295== by 0x401B59: huffman_table_init_jpeg (jpeg.c:273) [snip] When run without valgrind this test case causes glibc to abort on x86-64: *** glibc detected *** free(): invalid pointer: 0x0000000000512f40 *** error: decoder error: bad huffsize[] arrayAborted On x86-32 the test causes dsjpeg to error out with a message "bad huffsize[] array" seemingly intact, but note that the bug isn't 64 bit specific. -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-16 07:41 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589 Riccardo Magliocchetti <riccardo at datahost.it> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |critical --- Comment #1 from Riccardo Magliocchetti <riccardo at datahost.it> 2008-09-16 00:41:56 PST --- Adjusted the severity. I think the fastest we switch to ijg jpeg the better. -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-21 16:20 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589 --- Comment #2 from Riccardo Magliocchetti <riccardo at datahost.it> 2008-09-21 09:20:35 PST --- Created an attachment (id=19067) --> (http://bugs.freedesktop.org/attachment.cgi?id=19067) don't overflow huffmantable entries array This fix the issue for me, thanks Joonas for sharing the fun ;) -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-21 17:28 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589 --- Comment #3 from Riccardo Magliocchetti <riccardo at datahost.it> 2008-09-21 10:28:57 PST --- Created an attachment (id=19069) --> (http://bugs.freedesktop.org/attachment.cgi?id=19069) missing free for error_message Noticed while testing the patch, the buffer used for reporting the error message was never freed. -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug.
bugzilla-daemon at freedesktop.org
2008-Sep-24 16:39 UTC
[Swfdec] [Bug 17589] dsjpeg Huffman table parser validation error.
http://bugs.freedesktop.org/show_bug.cgi?id=17589 Benjamin Otte <otte at gnome.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Benjamin Otte <otte at gnome.org> 2008-09-24 09:39:48 PST --- fixed in git master (and soon) 0.8 -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug.