[Swfdec] [Bug 17589] New: dsjpeg Huffman table parser validation error.

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Sep 15 09:00:07 PDT 2008 

http://bugs.freedesktop.org/show_bug.cgi?id=17589

           Summary: dsjpeg Huffman table parser validation error.
           Product: swfdec
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: library
        AssignedTo: swfdec at lists.freedesktop.org
        ReportedBy: jpihlaja at cc.helsinki.fi
         QAContact: swfdec at lists.freedesktop.org


Created an attachment (id=18885)
 --> (http://bugs.freedesktop.org/attachment.cgi?id=18885)
trigger a buffer overflow in the DHT marker handler.

dsjpeg can be tricked into overflowing its internal Huffman table arrays. 
Valgrind says of the attached test case:

==31295== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==31295== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation
framework.
==31295== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==31295== For more details, rerun with: -v
==31295==
==31295== Invalid write of size 1
==31295==    at 0x40382C: huffman_table_add (jpeg_huffman.c:48)
==31295==    by 0x401B59: huffman_table_init_jpeg (jpeg.c:273)
==31295==    by 0x402B8C: jpeg_decoder_define_huffman_tables (jpeg.c:751)
==31295==    by 0x4028D9: jpeg_decoder_decode (jpeg.c:672)
==31295==    by 0x403C24: jpeg_decode_argb (jpeg_rgb_decoder.c:58)
==31295==    by 0x400DB0: main (load.c:46)
==31295==  Address 0x537B434 is 12 bytes after a block of size 43,984 alloc'd
==31295==    at 0x4A1B858: malloc (vg_replace_malloc.c:149)
==31295==    by 0x40245F: jpeg_decoder_new (jpeg.c:535)
==31295==    by 0x403C07: jpeg_decode_argb (jpeg_rgb_decoder.c:55)
==31295==    by 0x400DB0: main (load.c:46)
==31295==
==31295== Invalid write of size 4
==31295==    at 0x403844: huffman_table_add (jpeg_huffman.c:49)
==31295==    by 0x401B59: huffman_table_init_jpeg (jpeg.c:273)
[snip]

When run without valgrind this test case causes glibc to abort on x86-64:

*** glibc detected *** free(): invalid pointer: 0x0000000000512f40 ***
error: decoder error: bad huffsize[] arrayAborted

On x86-32 the test causes dsjpeg to error out with a message "bad huffsize[]
array" seemingly intact, but note that the bug isn't 64 bit specific.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the Swfdec mailing list