[Swfdec] [Bug 15528] jpeg decoder allocation size overflows
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Sep 15 08:36:38 PDT 2008
http://bugs.freedesktop.org/show_bug.cgi?id=15528
--- Comment #6 from M Joonas Pihlaja <jpihlaja at cc.helsinki.fi> 2008-09-15 08:36:38 PST ---
Created an attachment (id=18881)
--> (http://bugs.freedesktop.org/attachment.cgi?id=18881)
avoid size validation
Hi,
I had some fun this weekend while looking at dsjpeg more closely. The proposed
patch doesn't work 100% correctly, but does make crashing the decoder more
difficult. Checking for multiplication overflow when computing a*b should
either take the form of a test like (a*b)/b = a or explicitly checking the
sizes of a and b to avoid overflow. The attached test case will crash due to a
NULL pointer dereference (on 32 bit machines), or eventually due to an out of
bounds write (on 64 bit machines.)
On a 64 bit machine, the result in gdb is reproduced below. (Valgrind takes way
too long as the case needs to trawl through a lot of memory before hitting the
segfaulting overwrite.)
Program received signal SIGSEGV, Segmentation fault.
0x00002b2c733b6000 in oil_test_new () from /usr/lib/liboil-0.3.so.0
(gdb) up
#1 0x0000000000404962 in get_argb_420 (dec=0x507030) at jpeg_rgb_decoder.c:279
279 oil_colorspace_argb(argbp, tmp, jfif_matrix, dec->width);
(gdb) p argb
No symbol "argb" in current context.
(gdb) p argbp
$1 = (uint32_t *) 0x2b2d9e48a010
(gdb) p tmp
$2 = (uint32_t *) 0x2b2cf39bf010
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
More information about the Swfdec
mailing list