mozjpeg icon indicating copy to clipboard operation
mozjpeg copied to clipboard
verified publisher icon mozilla

NULL Pointer Dereference vulneribility in quantize_ord_dither function of mozjpeg

Open leonzhao7 opened this issue 8 years ago • 0 comments

Command and argument

djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o [infile]

Crash Information

The output of djpeg with address sanitizer enabled

./djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o /root/fuzz/mozjpeg/output/moz-fuzz02/crashes/001-mozjpeg-quantize_ord_dither-536.crash 
Corrupt JPEG data: 94 extraneous bytes before marker 0xdd
ASAN:SIGSEGV
=================================================================
==51824==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fb8a48a9302 bp 0x7ffe5825e380 sp 0x7ffe5825db08 T0)
    #0 0x7fb8a48a9301  (/lib/x86_64-linux-gnu/libc.so.6+0x8f301)
    #1 0x7fb8a4fe7b1e in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cb1e)
    #2 0x7fb8a4cf3736 in jzero_far /root/mozjpeg/jutils.c:132
    #3 0x7fb8a4ce99f7 in quantize_ord_dither /root/mozjpeg/jquant1.c:536
    #4 0x7fb8a4cc2772 in post_process_1pass /root/mozjpeg/jdpostct.c:145
    #5 0x7fb8a4c91f0e in process_data_simple_main /root/mozjpeg/jdmainct.c:311
    #6 0x7fb8a4c6a16c in jpeg_read_scanlines /root/mozjpeg/jdapistd.c:282
    #7 0x404c89 in main /root/mozjpeg/djpeg.c:731
    #8 0x7fb8a483a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4018e8 in _start (/opt/asan/bin/djpeg+0x4018e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==51824==ABORTING

and the second POC file, i think thay should be a same vulneribility.

./djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o /root/fuzz/mozjpeg/output/moz-fuzz02/crashes/002-mozjpeg-quantize_ord_dither-536.crash 
ASAN:SIGSEGV
=================================================================
==43339==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7c8450a9ea bp 0x7ffea3850b70 sp 0x7ffea3850b00 T0)
    #0 0x7f7c8450a9e9 in quantize_ord_dither /root/mozjpeg/jquant1.c:536
    #1 0x7f7c844e3772 in post_process_1pass /root/mozjpeg/jdpostct.c:145
    #2 0x7f7c844b2f0e in process_data_simple_main /root/mozjpeg/jdmainct.c:311
    #3 0x7f7c8448b16c in jpeg_read_scanlines /root/mozjpeg/jdapistd.c:282
    #4 0x7f7c8448b307 in read_and_discard_scanlines /root/mozjpeg/jdapistd.c:316
    #5 0x7f7c8448b4d1 in increment_simple_rowgroup_ctr /root/mozjpeg/jdapistd.c:342
    #6 0x7f7c8448c6d4 in jpeg_skip_scanlines /root/mozjpeg/jdapistd.c:504
    #7 0x404bff in main /root/mozjpeg/djpeg.c:729
    #8 0x7f7c8405b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4018e8 in _start (/opt/asan/bin/djpeg+0x4018e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/mozjpeg/jquant1.c:536 quantize_ord_dither
==43339==ABORTING

POC file

mozjpeg-quantize_ord_dither-crash.zip

CREDIT

Zhao Liang, Huawei Weiran Labs

leonzhao7 avatar Sep 30 '17 02:09 leonzhao7