[Swfdec] [Bug 15528] New: jpeg decoder allocation size overflows

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Apr 16 01:20:43 PDT 2008 

http://bugs.freedesktop.org/show_bug.cgi?id=15528

           Summary: jpeg decoder allocation size overflows
           Product: swfdec
           Version: git
          Platform: x86 (IA32)
        OS/Version: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: library
        AssignedTo: swfdec at lists.freedesktop.org
        ReportedBy: jpihlaja at cc.helsinki.fi
         QAContact: swfdec at lists.freedesktop.org


Created an attachment (id=15947)
 --> (http://bugs.freedesktop.org/attachment.cgi?id=15947)
Test jpegs

The two files cookiemon.jpg and wookiemon.jpg in the attached tar file trigger
allocation overflows on x86 and amd64.  Valgrind says:

[for wookiemon.jpg]
==4516== Invalid write of size 1
==4516==    at 0x445D8F8: (within /usr/lib/liboil-0.3.so.0.1.0)
==4516==    by 0x80497FF: jpeg_decoder_decode_entropy_segment (jpeg.c:503)
==4516==    by 0x8049DEB: jpeg_decoder_decode (jpeg.c:683)
==4516==    by 0x804B1E1: jpeg_decode_argb (jpeg_rgb_decoder.c:58)
==4516==    by 0x8048A51: main (load.c:46)
==4516==  Address 0x632C490 is 0 bytes after a block of size 0 alloc'd
==4516==    at 0x442438B: malloc (vg_replace_malloc.c:149)
==4516==    by 0x8049084: jpeg_decoder_init_decoder (jpeg.c:192)
==4516==    by 0x8049CD3: jpeg_decoder_decode (jpeg.c:654)
==4516==    by 0x804B1E1: jpeg_decode_argb (jpeg_rgb_decoder.c:58)
==4516==    by 0x8048A51: main (load.c:46)

[for cookiemon.jpg]
==4520== Invalid write of size 4
==4520==    at 0x804B470: yuv_mux (jpeg_rgb_decoder.c:103)
==4520==    by 0x804BDDF: get_argb_420 (jpeg_rgb_decoder.c:278)
==4520==    by 0x804B329: jpeg_decoder_get_argb_image (jpeg_rgb_decoder.c:89)
==4520==    by 0x804B217: jpeg_decode_argb (jpeg_rgb_decoder.c:63)
==4520==    by 0x8048A51: main (load.c:46)
==4520==  Address 0x78C57D80 is 0 bytes after a block of size 40 alloc'd
==4520==    at 0x442438B: malloc (vg_replace_malloc.c:149)
==4520==    by 0x804BB54: get_argb_420 (jpeg_rgb_decoder.c:253)
==4520==    by 0x804B329: jpeg_decoder_get_argb_image (jpeg_rgb_decoder.c:89)
==4520==    by 0x804B217: jpeg_decode_argb (jpeg_rgb_decoder.c:63)
==4520==    by 0x8048A51: main (load.c:46)


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the Swfdec mailing list