Bug when arith_code=1 and trellis_quant=0

[mboehme]

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a one hour fuzzing session on Mozjpeg. The library calls memcpy with a null-pointer as second argument which results in undefined behaviour. Confirmed for v3.0 and for the most recent version in trunk on Ubuntu 14.04 x86_64.

How to reproduce: $ printf "\x00\x00\x0200\x00\x0000000\xb7\x0c\xf1\x05\x10\x00" > test $ ./cjpeg -a -n test

UBSAN reports:

./jcmaster.c:614:3: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:47:28: note: nonnull attribute specified here
SUMMARY: AddressSanitizer: undefined-behavior ../jcmaster.c:614:3

Turns out we can observe the error even with normal input: $ wget https://www.quaxio.com/gif_encoder_from_scratch/sunset.ppm $ ./cjpeg -a -n sunset.ppm

GDB shows:

(gdb) r -a -n test
Starting program: /home/ubuntu/subjects/mozjpeg/obj-afl/cjpeg -a -n test

Breakpoint 1, copy_buffer (cinfo=cinfo@entry=0x7fffffffe130, scan_idx=scan_idx@entry=0) at ../jcmaster.c:615
615       cinfo->dest->next_output_byte += size;
(gdb) p src
$1 = (unsigned char *) 0x0
(gdb) bt
#0  copy_buffer (cinfo=cinfo@entry=0x7fffffffe130, scan_idx=scan_idx@entry=0) at ../jcmaster.c:615
#1  0x0000000000438703 in select_scans (next_scan_number=<optimized out>, cinfo=0x7fffffffe130) at ../jcmaster.c:748
#2  finish_pass_master (cinfo=0x7fffffffe130) at ../jcmaster.c:849
#3  0x000000000041a0fe in jpeg_finish_compress (cinfo=cinfo@entry=0x7fffffffe130) at ../jcapimin.c:200
#4  0x0000000000401fa7 in main (argc=<optimized out>, argv=0x7fffffffe448) at ../cjpeg.c:812

Best regards,

• Marcel