libjxl
stack-use-after-scope in FixedAspectRatios
Describe the bug A use-after-scope error occurs in the FixedAspectRatios function within the libjxl library. This issue arises when attempting to access the global variable kRatios in the FixedAspectRatios function, leading to a crash.
To Reproduce
compile with ASan undefined and addresses. then run.
$ ./jxlinfo /path/to/file.jxl
Expected behavior Not to crash and run without the error.
Screenshots
crash log:
=================================================================
==321632==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f2f6c611270 at pc 0x7f2f6bc91594 bp 0x7ffe033ecbf0 sp 0x7ffe033ecbe0
READ of size 4 at 0x7f2f6c611270 thread T0
#0 0x7f2f6bc91593 in FixedAspectRatios /home/ /libjxl/lib/jxl/headers.cc:37
#1 0x7f2f6bc91593 in jxl::SizeHeader::xsize() const /home/ /libjxl/lib/jxl/headers.cc:53
#2 0x7f2f6bb7693f in JxlDecoderGetBasicInfo /home/ /libjxl/lib/jxl/decode.cc:2074
#3 0x55ba940157fc in jxl::extras::DecodeImageJXL(unsigned char const*, unsigned long, jxl::extras::JXLDecompressParams const&, unsigned long*, jxl::extras::PackedPixelFile*, std::vector<unsigned char, std::allocator<unsigned char> >*) /home/ /libjxl/lib/extras/dec/jxl.cc:316
#4 0x55ba93dea302 in DecompressJxlToPackedPixelFile /home/ /libjxl/tools/djxl_main.cc:394
#5 0x55ba93dea302 in main /home/ /libjxl/tools/djxl_main.cc:562
#6 0x7f2f65528d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f2f65528e3f in __libc_start_main_impl ../csu/libc-start.c:392
#8 0x55ba93e01e04 in _start (/home/ /libjxl/build/tools/djxl+0x359e04)
0x7f2f6c611270 is located 16 bytes inside of global variable 'kRatios' defined in '/home/ /libjxl/lib/jxl/headers.cc:30:22' (0x7f2f6c611260) of size 56
SUMMARY: AddressSanitizer: stack-use-after-scope /home/ /libjxl/lib/jxl/headers.cc:37 in FixedAspectRatios
Shadow bytes around the buggy address:
0x0fe66d8ba1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe66d8ba200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe66d8ba210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe66d8ba220: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 05 f9 f9
0x0fe66d8ba230: f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
=>0x0fe66d8ba240: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 f8 f8[f8]f8
0x0fe66d8ba250: f8 f8 f8 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe66d8ba260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe66d8ba270: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 00 04 f9 f9
0x0fe66d8ba280: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0fe66d8ba290: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==321632==ABORTING
Environment OS: Ubuntu 20.04 Compiler Version: clang 11.0.1 CPU Type: x86_64 cjxl/djxl Version String: v0.10.2 (7b9701eb) [AVX2, SSE4, SSE2]
Additional context Add any other context about the problem here. JXL_crashes.zip
I could not reproduce it using clang-14, does it only occur with clang 11?
I tried the following: (cd build-asan/ && ninja && ./tools/jxlinfo ~/Downloads/github/issue3724/crash_1.jxl.jpg)
output: JPEG XL file format container (ISO/IEC 18181-2) Uncompressed Exif metadata: 150 bytes Uncompressed xml metadata: 458 bytes JPEG XL image, 16336x8168, (possibly) lossless, 8-bit float (4 exponent bits) Grayscale Decoder error
It is a same issue with BUG0 of https://github.com/libjxl/libjxl/issues/2661
I found that some compilers do not properly detect constexpr variable is in global data because of "-fmerge-all-constants" flag.
Removing "-fmerge-all-constants" or adding "static" to kRatios or explicitly moving kRatios to global make asan for those compilers do not warn the issue. But I am not sure one of those modifications is right way to fix.
