Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tjunittest have stack-buffer-overflow #367

Closed
zodf0055980 opened this issue Aug 14, 2020 · 1 comment
Closed

tjunittest have stack-buffer-overflow #367

zodf0055980 opened this issue Aug 14, 2020 · 1 comment

Comments

@zodf0055980
Copy link

zodf0055980 commented Aug 14, 2020
edited
Loading

I try tjunittest and tjunittest-static , it caused core dumped

Grayscale Bottom-Up -> GRAY Q100 ... Done.
  Result in test_enc_Grayscale_BU_GRAY_Q100.jpg
JPEG -> Grayscale Bottom-Up 2/1 ... Passed.
JPEG -> Grayscale Bottom-Up 15/8 ... Passed.
JPEG -> Grayscale Bottom-Up 7/4 ... Passed.
JPEG -> Grayscale Bottom-Up 13/8 ... Passed.
JPEG -> Grayscale Bottom-Up 3/2 ... Passed.
JPEG -> Grayscale Bottom-Up 11/8 ... Passed.
JPEG -> Grayscale Bottom-Up 5/4 ... Passed.
JPEG -> Grayscale Bottom-Up 9/8 ... Passed.
JPEG -> Grayscale Bottom-Up ... Passed.
JPEG -> Grayscale Bottom-Up 7/8 ... Passed.
JPEG -> Grayscale Bottom-Up 3/4 ... Passed.
JPEG -> Grayscale Bottom-Up 5/8 ... Passed.
JPEG -> Grayscale Bottom-Up 1/2 ... Passed.
JPEG -> Grayscale Bottom-Up 3/8 ... Passed.
JPEG -> Grayscale Bottom-Up 1/4 ... Passed.
JPEG -> Grayscale Bottom-Up 1/8 ... Passed.

--------------------

[1]    18598 segmentation fault (core dumped)  ./tjunittest

Grayscale Bottom-Up -> GRAY Q100 ... Done.
  Result in test_enc_Grayscale_BU_GRAY_Q100.jpg
JPEG -> Grayscale Bottom-Up 2/1 ... Passed.
JPEG -> Grayscale Bottom-Up 15/8 ... Passed.
JPEG -> Grayscale Bottom-Up 7/4 ... Passed.
JPEG -> Grayscale Bottom-Up 13/8 ... Passed.
JPEG -> Grayscale Bottom-Up 3/2 ... Passed.
JPEG -> Grayscale Bottom-Up 11/8 ... Passed.
JPEG -> Grayscale Bottom-Up 5/4 ... Passed.
JPEG -> Grayscale Bottom-Up 9/8 ... Passed.
JPEG -> Grayscale Bottom-Up ... Passed.
JPEG -> Grayscale Bottom-Up 7/8 ... Passed.
JPEG -> Grayscale Bottom-Up 3/4 ... Passed.
JPEG -> Grayscale Bottom-Up 5/8 ... Passed.
JPEG -> Grayscale Bottom-Up 1/2 ... Passed.
JPEG -> Grayscale Bottom-Up 3/8 ... Passed.
JPEG -> Grayscale Bottom-Up 1/4 ... Passed.
JPEG -> Grayscale Bottom-Up 1/8 ... Passed.

--------------------

[1]    19243 segmentation fault (core dumped)  ./tjunittest-static

I also try in libjpeg-turbo, it can successfully execute.
I try to open AddressSanitizer , it says it is stack-buffer-overflow

Grayscale Bottom-Up -> GRAY Q100 ... Done.
  Result in test_enc_Grayscale_BU_GRAY_Q100.jpg
JPEG -> Grayscale Bottom-Up 2/1 ... Passed.
JPEG -> Grayscale Bottom-Up 15/8 ... Passed.
JPEG -> Grayscale Bottom-Up 7/4 ... Passed.
JPEG -> Grayscale Bottom-Up 13/8 ... Passed.
JPEG -> Grayscale Bottom-Up 3/2 ... Passed.
JPEG -> Grayscale Bottom-Up 11/8 ... Passed.
JPEG -> Grayscale Bottom-Up 5/4 ... Passed.
JPEG -> Grayscale Bottom-Up 9/8 ... Passed.
JPEG -> Grayscale Bottom-Up ... Passed.
JPEG -> Grayscale Bottom-Up 7/8 ... Passed.
JPEG -> Grayscale Bottom-Up 3/4 ... Passed.
JPEG -> Grayscale Bottom-Up 5/8 ... Passed.
JPEG -> Grayscale Bottom-Up 1/2 ... Passed.
JPEG -> Grayscale Bottom-Up 3/8 ... Passed.
JPEG -> Grayscale Bottom-Up 1/4 ... Passed.
JPEG -> Grayscale Bottom-Up 1/8 ... Passed.

--------------------

=================================================================
==18645==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcad0ffdf at pc 0x5620fe5c5669 bp 0x7ffdcad0f6f0 sp 0x7ffdcad0f6e0
READ of size 1 at 0x7ffdcad0ffdf thread T0
    #0 0x5620fe5c5668 in jpeg_gen_optimal_table /home/yuan/afl-target/mozjpeg/jchuff.c:1001
    #1 0x5620fe4950b4 in finish_pass_gather_phuff /home/yuan/afl-target/mozjpeg/jcphuff.c:1083
    #2 0x5620fe455e3d in finish_pass_master /home/yuan/afl-target/mozjpeg/jcmaster.c:824
    #3 0x5620fe41dc9d in jpeg_finish_compress /home/yuan/afl-target/mozjpeg/jcapimin.c:200
    #4 0x5620fe3918c5 in tjCompress2 /home/yuan/afl-target/mozjpeg/turbojpeg.c:691
    #5 0x5620fe37c0aa in compTest /home/yuan/afl-target/mozjpeg/tjunittest.c:403
    #6 0x5620fe38217b in doTest /home/yuan/afl-target/mozjpeg/tjunittest.c:537
    #7 0x5620fe3706d2 in main /home/yuan/afl-target/mozjpeg/tjunittest.c:916
    #8 0x7f201f492b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x5620fe373e89 in _start (/home/yuan/afl-target/mozjpeg/build/tjunittest-static+0x14e89)

Address 0x7ffdcad0ffdf is located in stack of thread T0 at offset 2207 in frame
    #0 0x5620fe5c34cf in jpeg_gen_optimal_table /home/yuan/afl-target/mozjpeg/jchuff.c:892

  This frame has 3 object(s):
    [32, 1060) 'codesize'
    [1120, 2148) 'others'
    [2208, 2241) 'bits' <== Memory access at offset 2207 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/yuan/afl-target/mozjpeg/jchuff.c:1001 in jpeg_gen_optimal_table
Shadow bytes around the buggy address:
  0x100039599fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039599fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039599fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039599fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039599fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100039599ff0: 00 00 00 00 04 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
  0x10003959a000: 01 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003959a010: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
  0x10003959a020: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003959a030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003959a040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18645==ABORTING

I thinks it is RGB Top-Down -> GRAY Q100 error
@kornelski
Copy link
Member

Possibly fixed in b3e7390

wesleywwf pushed a commit to wesleywwf/mozjpeg that referenced this issue Sep 27, 2021
@dcommander
SSE2 SIMD: Fix prog Huffman enc. error if Sl%16==0
a81a8c1 
(regression introduced by 5b177b3)

The SSE2 implementation of progressive Huffman encoding performed
extraneous iterations when the scan length was a multiple of 16.

Based on:
rouault/libjpeg-turbo@bb7f1ef

Fixes mozilla#335
Closes mozilla#367
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kornelski @zodf0055980