Menu
▾
▴
[Libjpeg-devel-6x] 4 Integer Overflow Errors in libjpeg-9c
|
From: Gabriel R. <ga...@cs...> - 2020-06-02 18:31:56
|
Hi, I'm reaching to report 4 integer overflow errors in libjpeg-9c. POC inputs along with directions to reproduce the errors are included in the attached zip. Directions for replicating and errors below. Best, Gabe ========================================= We built the jpeg-9c library with -O0 -g -fsanitize=address,undefined -fno-omit-frame-pointer Our environmeent is x86_64 Linux with Kernel version 4.15.0-66-generic. We use clang 7.0.0 to build. ----------------------- Folder 1. Command Line: djpeg id:003426,src:003255,op:flip1,pos:276,+cov.input.0 Error: Corrupt JPEG data: 18 extraneous bytes before marker 0xda ../../src/jdarith.c:389:45: runtime error: left shift of negative value -1 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/jdarith.c:389:45 in ----------------------- Folder 2. Command Line: djpeg id:001480,src:000791,op:flip4,pos:295,+cov.input.0 Error: Premature end of JPEG file ../../src/jdarith.c:308:53: runtime error: left shift of negative value -1 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/jdarith.c:308:53 in ----------------------- Folder 3. Command Line: djpeg djpeg_bug id:003755,src:003543,op:flip1,pos:251,+cov.input.0 Error: Corrupt JPEG data: 10 extraneous bytes before marker 0xda ../../src/jdhuff.c:940:15: runtime error: left shift of negative value -1 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/jdhuff.c:940:15 in ----------------------- POC 4. Download from https://drive.google.com/file/d/1Xez2AWX-QI5Xj5VUp4EjerfHz1hTQPtD/view?usp=sharing Command Line: djpeg output Error: P5 57188 32772 255 ../../src/jdhuff.c:530:32: runtime error: left shift of 69288182312683848 by 8 places cannot be represented in type 'bit_buf_type' (aka 'long') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/jdhuff.c:530:32 in |
