Menu

#345 Divizion by zero where srcinfo->block_size is divider in jdiv_round_up function

open
nobody
bugs (6)
5
2021-11-24
2021-11-24
Kobrin Eli
No

Hello,
I found some crashes using libFuzzer. Lets look at this code:
from trunk/Source/LibJPEG/jutils.c, function jdiv_round_up

GLOBAL(long)
jdiv_round_up (long a, long b)
/* Compute a/b rounded up to next integer, ie, ceil(a/b) */
/* Assumes a >= 0, b > 0 */
{
  return (a + b - 1L) / b;
}

Crash occurs when we pass cinfo->block_size as second parameter, which may equal zero:
Here is stacktrace:

==17==ERROR: AddressSanitizer: FPE on unknown address 0x0000009fe1eb (pc 0x0000009fe1eb bp 0x7fffffffc9a0 sp 0x7fffffffc918 T0)
    #0 0x9fe1eb in jdiv_round_up (/transform_combined_jpeg_fuzzer+0x9fe1eb)
    #1 0x9f49c4 in jpeg_core_output_dimensions (/transform_combined_jpeg_fuzzer+0x9f49c4)
    #2 0x9fe6aa in jtransform_request_workspace (/transform_combined_jpeg_fuzzer+0x9fe6aa)
    #3 0x9e1215 in JPEGTransformFromHandle(FreeImageIO*, void*, FreeImageIO*, void*, FREE_IMAGE_JPEG_OPERATION, int*, int*, int*, int*, int) /freeimage-svn/FreeImage/trunk/Source/FreeImageToolkit/JPEGTransform.cpp:268:8
    #4 0x9df21b in FreeImage_JPEGTransformFromHandle /freeimage-svn/FreeImage/trunk/Source/FreeImageToolkit/JPEGTransform.cpp:371:9
    #5 0x9e649f in FreeImage_JPEGTransformCombinedFromMemory /freeimage-svn/FreeImage/trunk/Source/FreeImageToolkit/JPEGTransform.cpp:621:9
    #6 0x51e1b2 in LLVMFuzzerTestOneInput /transform_combined_jpeg_fuzzer.cc:36:5
    #7 0x44ac11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #8 0x43522c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #9 0x43af9b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #10 0x463ce2 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7ffff7a750b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x42fb4d in _start (/transform_combined_jpeg_fuzzer+0x42fb4d)

How to reproduce:

  1. Build and run docker container from here https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/freeimage
  2. Run fuzzer /transform_combined_jpeg_fuzzer /fuzz/crash-542520b6a82c2898ee190266d61c65f6efad8f41
1 Attachments
crash-542520b6a82c2898ee190266d61c65f6efad8f41

Discussion

Log in to post a comment.

MongoDB Logo MongoDB