Hello, the attachments are some samples that can cause SIGFPE that caused by devided-by-zero at src/lepton/uncompressed_components.hh:122. This exception can cause Denial-of-Service of lepton.
sample.zip
You can reproduce it with: ./lepton ID.jpg
Here are the debugging info with gdb:
[CODE────────────────────────────────────────────────]
117 for (int cmp = 0; cmp < (int)header.size() && cmp < cmpc; cmp++) {
118 int bcallocated = header[cmp].info_.bc;
119 int64_t max_cmp_bc = max_number_of_blocks;
120 max_cmpbc *= header[cmp].info_.bcv;
121 max_cmpbc *= header[cmp].info_.bch;
122 max_cmp_bc /= total_req_blocks;
123 if (bc_allocated > max_cmp_bc) {
124 bc_allocated = max_cmp_bc - (max_cmpbc % header[cmp].info_.bch);
125 }
126 if (cmp == desired_cmp) {
[STACK───────────────────────────────────────────────]
00:0000│ 0x7fffdf7fde80 ◂— 0x0
01:0008│ 0x7fffdf7fde88 —▸ 0x4323ad ◂— test rax, rax
02:0010│ 0x7fffdf7fde90 ◂— 0x101000015
03:0018│ 0x7fffdf7fde98 ◂— 0x7fff000000000006
04:0020│ 0x7fffdf7fdea0 ◂— 0x6
05:0028│ 0x7fffdf7fdea8 —▸ 0x6a5188 ◂— 0x1
06:0030│ 0x7fffdf7fdeb0 ◂— 0x0
07:0038│ 0x7fffdf7fdeb8 —▸ 0x432424 (GenericWorker::wait_for_work()+52) ◂— mov byte ptr [rsp + 7], 0
[BACKTRACE─────────────────────────────────────────────]
► f 0 41b97a
f 1 41b97a
f 2 413efb setup_imginfo_jpg(bool)+1163
f 3 41cc2b
f 4 40dd03
f 5 40dd03
f 6 4162ae
f 7 416aa7
f 8 7ffff7186830 __libc_start_main+240
Program received signal SIGFPE
pwndbg> p total_req_blocks
$1 = 0
pwndbg> bt
0 0x000000000041b97a in UncompressedComponents::allocate_channel_framebuffer (memory_optimized=false, framebuffer=0x68c650 <colldata+16>, desired_cmp=0, this=0x68c640 ) at src/lepton/uncompressed_components.hh:122
2 0x0000000000413efb in setup_imginfo_jpg (only_allocate_two_image_rows=only_allocate_two_image_rows@entry=false) at src/lepton/jpgcoder.cc:4250
3 0x000000000041cc2b in read_jpeg (huff_input_offsets=, jpg_in=0x7fffffffd980) at src/lepton/jpgcoder.cc:2250
4 0x000000000040dd03 in std::function<bool ()>::operator()() const (this=0x7fffffffd9a0) at /usr/include/c++/5/functional:2267
5 execute(std::function<bool ()> const&) (function=...) at src/lepton/jpgcoder.cc:1863
6 0x00000000004162ae in process_file (reader=reader@entry=0x0, writer=writer@entry=0x0, max_file_size=max_file_size@entry=0, force_zlib0=) at src/lepton/jpgcoder.cc:1646
7 0x0000000000416aa7 in app_main (argc=2, argv=) at src/lepton/jpgcoder.cc:922
8 0x00007ffff7186830 in __libc_start_main (main=0x403040 <main(int, char**)>, argc=2, argv=0x7fffffffdc38, init=, fini=, rtld_fini=, stack_end=0x7fffffffdc28) at ../csu/libc-start.c:291
Hello, the attachments are some samples that can cause SIGFPE that caused by devided-by-zero at src/lepton/uncompressed_components.hh:122. This exception can cause Denial-of-Service of lepton. sample.zip
You can reproduce it with: ./lepton ID.jpg
Here are the debugging info with gdb:
[CODE────────────────────────────────────────────────] 117 for (int cmp = 0; cmp < (int)header.size() && cmp < cmpc; cmp++) { 118 int bcallocated = header[cmp].info_.bc; 119 int64_t max_cmp_bc = max_number_of_blocks; 120 max_cmpbc *= header[cmp].info_.bcv; 121 max_cmpbc *= header[cmp].info_.bch; 122 max_cmp_bc /= total_req_blocks; 123 if (bc_allocated > max_cmp_bc) { 124 bc_allocated = max_cmp_bc - (max_cmpbc % header[cmp].info_.bch); 125 } 126 if (cmp == desired_cmp) { [STACK───────────────────────────────────────────────] 00:0000│ 0x7fffdf7fde80 ◂— 0x0 01:0008│ 0x7fffdf7fde88 —▸ 0x4323ad ◂— test rax, rax 02:0010│ 0x7fffdf7fde90 ◂— 0x101000015 03:0018│ 0x7fffdf7fde98 ◂— 0x7fff000000000006 04:0020│ 0x7fffdf7fdea0 ◂— 0x6 05:0028│ 0x7fffdf7fdea8 —▸ 0x6a5188 ◂— 0x1 06:0030│ 0x7fffdf7fdeb0 ◂— 0x0 07:0038│ 0x7fffdf7fdeb8 —▸ 0x432424 (GenericWorker::wait_for_work()+52) ◂— mov byte ptr [rsp + 7], 0 [BACKTRACE─────────────────────────────────────────────] ► f 0 41b97a f 1 41b97a f 2 413efb setup_imginfo_jpg(bool)+1163 f 3 41cc2b f 4 40dd03 f 5 40dd03 f 6 4162ae f 7 416aa7 f 8 7ffff7186830 __libc_start_main+240 Program received signal SIGFPE pwndbg> p total_req_blocks $1 = 0 pwndbg> bt
0 0x000000000041b97a in UncompressedComponents::allocate_channel_framebuffer (memory_optimized=false, framebuffer=0x68c650 <colldata+16>, desired_cmp=0, this=0x68c640 ) at src/lepton/uncompressed_components.hh:122
1 UncompressedComponents::init (this=0x68c640, cmpinfo=..., cmpc=3, mcuh=, mcuv=, memory_optimized_image=) at src/lepton/uncompressed_components.hh:158
2 0x0000000000413efb in setup_imginfo_jpg (only_allocate_two_image_rows=only_allocate_two_image_rows@entry=false) at src/lepton/jpgcoder.cc:4250
3 0x000000000041cc2b in read_jpeg (huff_input_offsets=, jpg_in=0x7fffffffd980) at src/lepton/jpgcoder.cc:2250
4 0x000000000040dd03 in std::function<bool ()>::operator()() const (this=0x7fffffffd9a0) at /usr/include/c++/5/functional:2267
5 execute(std::function<bool ()> const&) (function=...) at src/lepton/jpgcoder.cc:1863
6 0x00000000004162ae in process_file (reader=reader@entry=0x0, writer=writer@entry=0x0, max_file_size=max_file_size@entry=0, force_zlib0=) at src/lepton/jpgcoder.cc:1646
7 0x0000000000416aa7 in app_main (argc=2, argv=) at src/lepton/jpgcoder.cc:922
8 0x00007ffff7186830 in __libc_start_main (main=0x403040 <main(int, char**)>, argc=2, argv=0x7fffffffdc38, init=, fini=, rtld_fini=, stack_end=0x7fffffffdc28) at ../csu/libc-start.c:291
9 0x0000000000403599 in _start ()