You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We found two testcases for bug 1, one of which also triggers bug 2. We are reporting them together hoping this can be helpful for bug analysis and fixing.
the executable used for our tests (built from commit f4a71b1 for x64 with clang 14)
the two testcases mentioned above
the stacktrace when each bug was observed
the output of Valgrind
Please note how the executable file is just one of the two fuzzing harnesses (i.e. tests
/stbi_read_fuzzer.c) with a main function that reads the data and passes it to LLVMFuzzerTestOneInput.
First bug:
Run the executable file with valgrind (valgrind --track-origins=yes ./executable path/to/testcase) to obtain this output (non-relevant or redundant portions of the output have been omitted):
==46== Conditional jump or move depends on uninitialised value(s)
==46== at 0x11AFF4: stbi__YCbCr_to_RGB_simd (stb_image.h:3807)
==46== by 0x11D822: load_jpeg_image (stb_image.h:3953)
==46== by 0x10D835: stbi__jpeg_load (stb_image.h:4036)
==46== by 0x10B35F: stbi__load_main (stb_image.h:1167)
==46== by 0x1094DF: stbi__load_and_postprocess_8bit (stb_image.h:1262)
==46== by 0x109B10: stbi_load_from_memory (stb_image.h:1432)
==46== by 0x10B072: LLVMFuzzerTestOneInput (test1.c:19)
==46== by 0x10B0D9: main (test1.c:33)
==46== Uninitialised value was created by a heap allocation
==46== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==46== by 0x10A684: stbi__malloc (stb_image.h:986)
==46== by 0x112D06: stbi__malloc_mad2 (stb_image.h:1050)
==46== by 0x11C89B: stbi__process_frame_header (stb_image.h:3336)
==46== by 0x1157C1: stbi__decode_jpeg_header (stb_image.h:3384)
==46== by 0x11DF6D: stbi__decode_jpeg_image (stb_image.h:3419)
==46== by 0x11D0B9: load_jpeg_image (stb_image.h:3873)
==46== by 0x10D835: stbi__jpeg_load (stb_image.h:4036)
==46== by 0x10B35F: stbi__load_main (stb_image.h:1167)
==46== by 0x1094DF: stbi__load_and_postprocess_8bit (stb_image.h:1262)
==46== by 0x109B10: stbi_load_from_memory (stb_image.h:1432)
==46== by 0x10B072: LLVMFuzzerTestOneInput (test1.c:19)
The issue is confirmed also by DrMemory.
Second bug:
Run the executable file with valgrind (valgrind --track-origins=yes ./executable path/to/testcase) to obtain this output (non-relevant or redundant portions of the output have been omitted):
==54== Conditional jump or move depends on uninitialised value(s)
==54== at 0x1202F0: stbi__jpeg_decode_block_prog_ac (stb_image.h:2392)
==54== by 0x11F044: stbi__parse_entropy_coded_data (stb_image.h:3027)
==54== by 0x11DFDE: stbi__decode_jpeg_image (stb_image.h:3424)
==54== by 0x11D0B9: load_jpeg_image (stb_image.h:3873)
==54== by 0x10D835: stbi__jpeg_load (stb_image.h:4036)
==54== by 0x10B35F: stbi__load_main (stb_image.h:1167)
==54== by 0x1094DF: stbi__load_and_postprocess_8bit (stb_image.h:1262)
==54== by 0x109B10: stbi_load_from_memory (stb_image.h:1432)
==54== by 0x10B072: LLVMFuzzerTestOneInput (test2.c:19)
==54== by 0x10B0DE: main (test2.c:85)
==54== Uninitialised value was created by a heap allocation
==54== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==54== by 0x10A684: stbi__malloc (stb_image.h:986)
==54== by 0x112BD0: stbi__malloc_mad3 (stb_image.h:1057)
==54== by 0x11CA08: stbi__process_frame_header (stb_image.h:3345)
==54== by 0x1157C1: stbi__decode_jpeg_header (stb_image.h:3384)
==54== by 0x11DF6D: stbi__decode_jpeg_image (stb_image.h:3419)
==54== by 0x11D0B9: load_jpeg_image (stb_image.h:3873)
==54== by 0x10D835: stbi__jpeg_load (stb_image.h:4036)
==54== by 0x10B35F: stbi__load_main (stb_image.h:1167)
==54== by 0x1094DF: stbi__load_and_postprocess_8bit (stb_image.h:1262)
==54== by 0x109B10: stbi_load_from_memory (stb_image.h:1432)
==54== by 0x10B072: LLVMFuzzerTestOneInput (test2.c:19)
==54==
==54== Conditional jump or move depends on uninitialised value(s)
==54== at 0x11AFF4: stbi__YCbCr_to_RGB_simd (stb_image.h:3807)
==54== by 0x11D822: load_jpeg_image (stb_image.h:3953)
==54== by 0x10D835: stbi__jpeg_load (stb_image.h:4036)
==54== by 0x10B35F: stbi__load_main (stb_image.h:1167)
==54== by 0x1094DF: stbi__load_and_postprocess_8bit (stb_image.h:1262)
==54== by 0x109B10: stbi_load_from_memory (stb_image.h:1432)
==54== by 0x10B072: LLVMFuzzerTestOneInput (test2.c:19)
==54== by 0x10B0DE: main (test2.c:85)
==54== Uninitialised value was created by a heap allocation
==54== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==54== by 0x10A684: stbi__malloc (stb_image.h:986)
==54== by 0x112D06: stbi__malloc_mad2 (stb_image.h:1050)
==54== by 0x11C89B: stbi__process_frame_header (stb_image.h:3336)
==54== by 0x1157C1: stbi__decode_jpeg_header (stb_image.h:3384)
==54== by 0x11DF6D: stbi__decode_jpeg_image (stb_image.h:3419)
==54== by 0x11D0B9: load_jpeg_image (stb_image.h:3873)
==54== by 0x10D835: stbi__jpeg_load (stb_image.h:4036)
==54== by 0x10B35F: stbi__load_main (stb_image.h:1167)
==54== by 0x1094DF: stbi__load_and_postprocess_8bit (stb_image.h:1262)
==54== by 0x109B10: stbi_load_from_memory (stb_image.h:1432)
==54== by 0x10B072: LLVMFuzzerTestOneInput (test2.c:19)
All tests were performed on an x86-64 machine with Ubuntu 22.04 and clang 14 with -g flag atop the default options for an OSS-Fuzz build.
Impact
Currently unsure: use of uninitialized memory violations can be associated with severe security issues, but we could not assess the potential impact of this one in depth.
The text was updated successfully, but these errors were encountered:
We are reporting two bugs found via fuzzing for uses of uninitialized memory:
r
is used uninitialized instbi__YCbCr_to_RGB_simd
(stb_image.h:3807)p
is used uninitialized instbi__jpeg_decode_block_prog_ac
(stb_image.h:2392) - we believe already discussed in issue Use of uninitialized value instbi__jpeg_decode_block_prog_ac
#1535We found two testcases for bug 1, one of which also triggers bug 2. We are reporting them together hoping this can be helpful for bug analysis and fixing.
To Reproduce
In the attached archive, you will find:
Please note how the executable file is just one of the two fuzzing harnesses (i.e. tests
/stbi_read_fuzzer.c) with a main function that reads the data and passes it to
LLVMFuzzerTestOneInput
.First bug:
Run the executable file with valgrind (
valgrind --track-origins=yes ./executable path/to/testcase
) to obtain this output (non-relevant or redundant portions of the output have been omitted):The issue is confirmed also by DrMemory.
Second bug:
Run the executable file with valgrind (
valgrind --track-origins=yes ./executable path/to/testcase
) to obtain this output (non-relevant or redundant portions of the output have been omitted):All tests were performed on an x86-64 machine with Ubuntu 22.04 and clang 14 with -g flag atop the default options for an OSS-Fuzz build.
Impact
Currently unsure: use of uninitialized memory violations can be associated with severe security issues, but we could not assess the potential impact of this one in depth.
The text was updated successfully, but these errors were encountered: