697152 – jpeg: SIGSEGV when reporting error from jpeg decoder

Bug 697152 - jpeg: SIGSEGV when reporting error from jpeg decoder

Summary: jpeg: SIGSEGV when reporting error from jpeg decoder

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	fuzzing (show other bugs)
Version:	master
Hardware:	All All

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Duplicates (1):	697164 (view as bug list)
Depends on:
Blocks:

Reported:	2016-09-26 04:28 UTC by Sebastian Rasmussen
Modified:	2016-09-28 03:49 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Rasmussen 2016-09-26 04:28:16 UTC

When running this jpeg image:

https://raw.githubusercontent.com/Grumbel/imagetestsuite/master/jpg/21a84b8472f6d18f5bb5c0026e97cfaa.jpg

using the following command:

valgrind ./build/debug/mutool draw -i -s t 21a84b8472f6d18f5bb5c0026e97cfaa.jpg

I see a SIGSEGV:

==11895== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
...
Corrupt JPEG data: 87 extraneous bytes before marker 0xdb
==11895== Process terminating with default action of signal 11 (SIGSEGV)
==11895==  Bad permissions for mapped region at address 0x809B739
==11895==    at 0x8072D5D: fz_vthrow (error.c:163)
==11895==    by 0x8072DEE: fz_throw (error.c:185)
==11895==    by 0x8091855: error_exit (load-jpeg.c:70)
==11895==    by 0x81BBE7A: get_sos (jdmarker.c:371)
==11895==    by 0x81BE9DA: read_markers (jdmarker.c:1152)
==11895==    by 0x81BB1F1: consume_markers (jdinput.c:568)
==11895==    by 0x81B935F: jpeg_consume_input (jdapimin.c:302)
==11895==    by 0x81B928E: jpeg_read_header (jdapimin.c:250)
==11895==    by 0x809252A: fz_load_jpeg_info (load-jpeg.c:360)
==11895==    by 0x808CDB2: fz_new_image_from_buffer (image.c:960)
==11895==    by 0x8100A85: img_open_document_with_stream (muimg.c:120)
==11895==    by 0x8100B60: img_open_document (muimg.c:143)

Comment 1 Sebastian Rasmussen 2016-09-26 04:42:09 UTC

I believe that the following files fail for the same reason, i.e. it crashed while reporting errors from the jpeg decoder:

https://raw.githubusercontent.com/Grumbel/imagetestsuite/master/jpg/$FILENAME

28968137f4fc75fbf56f16d7a7a8551a.jpg
3ba6af611cc5467cfdbd5566561b8478.jpg
3cc4a7fc6481ea3681138da4643f3d16.jpg
3ef05501315073d9d4e1c6b654d99ac0.jpg
46e5ac4a62d7a445a7c1fb704fafe05c.jpg
5633ed9d0eb700d0093bf85d86a95ebf.jpg
5a43fa2cf9c1e47f0331ef71b928ee55.jpg
627c0779eb46b98f751187c5c9f43aa3.jpg
6903d4538fd33c8fd0ded32cb30d618e.jpg
6de166ee2a3a60df9017650e2a808408.jpg
754664a12e36abff7950e796c906ae39.jpg
7e7cdf7f4ee50b308531313bbf43e0c3.jpg
8417a305e3b43d5b1bda4ff06a660c54.jpg
897b8b6d8feb466aa6cad5f512c3fce2.jpg
8e330afbd99ba01b66570ed62fcdc6ab.jpg
90e46387f562ca8fa106b51dfcda1dc6.jpg
acce3629083f0e348e94fb58f952d3de.jpg
adcb34b94f4c839bdd29037419a0ee53.jpg
c1ca5583e4bfadc73e7fe9418b6e6bf4.jpg
c4ced510f44a9bfe85c696c05a7f791d.jpg
c8bc97335529d069a753c67475b8c82c.jpg
cc23dd79637b606cf5ba234a037e17ba.jpg
ce380515a534e8226209daae00e7b4e8.jpg
d3b044a94486cae0224c002800ddd642.jpg
de4ae285a275bcfe2ac87c0126742552.jpg
e18bb52107598f65b81b02be2c6c5124.jpg
eddea4ef9629be031f750a8ff0b7497c.jpg
ef724193653930f52acffa90e6426fd2.jpg
fddcfc778ada60229380c2493fc4c243.jpg

Comment 2 Sebastian Rasmussen 2016-09-26 05:06:29 UTC

This should probably be marked as fuzzing, sorry for the noise.

Comment 3 Sebastian Rasmussen 2016-09-27 00:12:38 UTC

*** Bug 697164 has been marked as a duplicate of this bug. ***

Comment 4 Sebastian Rasmussen 2016-09-28 03:49:49 UTC

Fixed in commit 2945b540908b2c05cc730335829726675028475b.