You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, we found one crash in jeegtran (libjpeg-turbo 3.0.2) which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC files along with the asan logs.
Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Command and args: ./jpegtran -drop +100+200 file1.jpg -maxmemory 4m poc
asan logs
==229843==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555556068f bp 0x7fffffffd710 sp 0x7fffffffd6b0 T0)
==229843==The signal is caused by a READ memory access.
==229843==Hint: address points to the zero page.
#0 0x55555556068e in adjust_quant /root/programs_rq5/libjpeg-turbo-3.0.2/transupp.c:206
#1 0x555555570833 in jtransform_adjust_parameters /root/programs_rq5/libjpeg-turbo-3.0.2/transupp.c:2099
#2 0x55555555c7c4 in main /root/programs_rq5/libjpeg-turbo-3.0.2/jpegtran.c:642
#3 0x7ffff7172082 in __libc_start_main ../csu/libc-start.c:308
#4 0x5555555597cd in _start (/root/programs_rq5/libjpeg-turbo-3.0.2/build_asan/bin/jpegtran+0x57cd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/programs_rq5/libjpeg-turbo-3.0.2/transupp.c:206 in adjust_quant
I will investigate, but since the issue in question involves an interface that is only exposed on the jpegtran command line, this does not represent a security issue. It is, at worst, a matter of the program crashing rather than failing gracefully, so from the user's point of view, the end result is the same. Still, though, it shouldn't crash.
It is possible to craft a malformed JPEG image in which all of the
scans contain fewer components than the number of components specified
in the Start Of Frame (SOF) segment. Attempting to use such an image as
either an input image or a drop image with 'jpegtran -drop' caused a
NULL dereference and subsequent segfault in transupp.c:adjust_quant(),
so this commit adds appropriate checks to guard against that.
Since the issue involved an interface that is only exposed on the
jpegtran command line, it did not represent a security risk.
'jpegtran -drop' could not ever be used successfully with images such as
the ones described above. This commit simply makes jpegtran fail
gracefully rather than crash.
Fixes#758
Hi, we found one crash in jeegtran (libjpeg-turbo 3.0.2) which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC files along with the asan logs.
Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Command and args:
./jpegtran -drop +100+200 file1.jpg -maxmemory 4m poc
asan logs
jpegtran_crash.zip
Credit by: Dawei Wang and Geng Zhou, from Zhongguancun Laboratory.
The text was updated successfully, but these errors were encountered: