search

google / guetzli

Perceptual JPEG encoder
Apache License 2.0
12.91k stars 976 forks source link

Segfault on malformed input #47

Closed alex closed 7 years ago

alex commented 7 years ago 
/p/t/guetzli (master) $ ./bin/Release/guetzli crasher-min-36.jpg /dev/null
fish: './bin/Release/guetzli crasher-m…' terminated by signal SIGSEGV (Address boundary error)
/p/t/guetzli (master) $ xxd crasher-min-36.jpg
00000000: ffd8 ffdb 0043 0030 3030 3030 3030 3030  .....C.000000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 30ff db00 4301 3030 3030  0000000...C.0000
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3030 3030 3030 3030 3030 3030 ffc0 0011  000000000000....
00000090: 0800 0830 3003 3022 0002 1101 0311 01ff  ...00.0"........
000000a0: c400 1a11 0100 0203 0100 0000 0000 0000  ................
000000b0: 0000 0000 00fb 99ac 30e7 97ff d9         ........0....

(Discovered using afl-fuzz)

alex commented 7 years ago

Traceback obtained with lldb:

* thread #1: tid = 0xfdd77d, 0x0000000100070c01 guetzli`guetzli::ProcessJpegData(guetzli::Params const&, guetzli::JPEGData const&, guetzli::Comparator*, guetzli::GuetzliOutput*, guetzli::ProcessStats*) + 4513, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100070c01 guetzli`guetzli::ProcessJpegData(guetzli::Params const&, guetzli::JPEGData const&, guetzli::Comparator*, guetzli::GuetzliOutput*, guetzli::ProcessStats*) + 4513
    frame #1: 0x00000001000764c4 guetzli`guetzli::Process(guetzli::Params const&, guetzli::ProcessStats*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) + 756
    frame #2: 0x000000010001c433 guetzli`main + 1331
    frame #3: 0x00007fffb346c255 libdyld.dylib`start + 1
    frame #4: 0x00007fffb346c255 libdyld.dylib`start + 1
robryk commented 7 years ago

Thanks for the report. This is the same thing as #38 -- it is a crash, but not an exploitable one. I'll fix it shortly.

alex commented 7 years ago

Doh, not sure how I missed that.