mdadams
commented
3 years ago Hi Bob,
On Sat, 10 Jul 2021, Bob Friesenhahn wrote:
Using the test case from oss-fuzz 35746 it is possible to provoke a crash in the jasper program using code from the mdadams-callbacks branch.
oss-fuzz-35746.tar.gz
% jasper --input-option max_samples=1073741824 --input clusterfuzz-testcase-minimized-coder_JP2_fuzzer-5181030653886464 --output-format jp2 --output crap.jp2 maximum memory limit (1073741824) would be exceeded zsh: segmentation fault (core dumped) jasper --input-option max_samples=1073741824 --input --output-format jp2
This reproducer is much appreciated. This is exactly the sort of thing that I wanted. This both guarantees that the problem is in JasPer (and not the user of JasPer) and also equally importantly gives me a way to reproduce the problem so that I can fix it. Incidentally, I suspect that the same bug is in the master branch as well, but it is just less likely to be hit.
--Michael
Using the test case from oss-fuzz 35746 it is possible to provoke a crash in the jasper program using code from the mdadams-callbacks branch.
oss-fuzz-35746.tar.gz
% jasper --input-option max_samples=1073741824 --input clusterfuzz-testcase-minimized-coder_JP2_fuzzer-5181030653886464 --output-format jp2 --output crap.jp2 maximum memory limit (1073741824) would be exceeded zsh: segmentation fault (core dumped) jasper --input-option max_samples=1073741824 --input --output-format jp2
% gdb /usr/local/bin/jasper core GNU gdb (Ubuntu 10.2-0ubuntu1~18.04~2) 10.2 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: https://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/.
For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/local/bin/jasper... [New LWP 12051] Core was generated by `jasper --input-option max_samples=1073741824 --input clusterfuzz-testcase-minim'. Program terminated with signal SIGSEGV, Segmentation fault.
0 0x00007f483ececb1e in jas_matrix_destroy (matrix=0x0) at /home/bfriesen/src/graphics/jasper-callbacks.git/src/libjasper/base/jas_seq.c:163
163 if (matrix->data_) { (gdb) bt
0 0x00007f483ececb1e in jas_matrix_destroy (matrix=0x0) at /home/bfriesen/src/graphics/jasper-callbacks.git/src/libjasper/base/jas_seq.c:163
1 0x00007f483ecfd940 in jpc_dec_tilefini (dec=0x563d679e2c20, tile=0x563d679e3a80)
2 0x00007f483ed006ee in jpc_dec_destroy (dec=0x563d679e2c20) at /home/bfriesen/src/graphics/jasper-callbacks.git/src/libjasper/jpc/jpc_dec.c:2171
3 0x00007f483ecfb4f3 in jpc_decode (in=0x563d679de910, optstr=0x563d679dc898 "max_samples=1073741824")
4 0x00007f483ece7bbe in jas_image_decode (in=0x563d679de910, fmt=4, optstr=0x563d679dc898 "max_samples=1073741824")
5 0x0000563d67119eb5 in main (argc=9, argv=0x7ffcb69fd168) at /home/bfriesen/src/graphics/jasper-callbacks.git/src/appl/jasper.c:251
(gdb)