Open JarLob opened 9 months ago
The pointer p at line 2391 in stbi__jpeg_decode_block_prog_ac uses the second element from data array, but the value wasn't initialized.
p
stbi__jpeg_decode_block_prog_ac
data
It doesn't seem to be a potential security issue, but nevertheless looks like some logical bug in decoding.
To reproduce the issue:
#include <stdint.h> #define STB_IMAGE_IMPLEMENTATION #include "../stb_image.h" int main(int argc, char* argv[]) { const uint8_t data[] = {0xff,0xd8,0xff,0xc2,0x00,0x11,0x08,0x00,0x50,0x00, 0x4b,0x03,0x01,0x22,0x00,0x02,0x11,0x01,0x03,0x11, 0x01,0xff,0xda,0x00,0x08,0x01,0x02,0x01,0x01,0x3f, 0x65}; size_t size = sizeof(data); int x, y, channels; stbi_uc *img = stbi_load_from_memory(data, size, &x, &y, &channels, 4); stbi_image_free(img); return 0; }
==382370==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5e4db2 in stbi__jpeg_decode_block_prog_ac(stbi__jpeg*, short*, stbi__huffman*, short*) tests/../stb_image.h:2391:20 #1 0x5d4618 in stbi__parse_entropy_coded_data(stbi__jpeg*) tests/../stb_image.h:3026:24 #2 0x5c6ada in stbi__decode_jpeg_image(stbi__jpeg*) tests/../stb_image.h:3423:15 #3 0x5b98bb in load_jpeg_image(stbi__jpeg*, int*, int*, int*, int) tests/../stb_image.h:3872:9 #4 0x4deb1b in stbi__jpeg_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) tests/../stb_image.h:4035:13 #5 0x4c0605 in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) tests/../stb_image.h:1166:35 #6 0x4a617b in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) tests/../stb_image.h:1261:19 #7 0x4abca5 in stbi_load_from_memory tests/../stb_image.h:1431:11
The pointer
p
at line 2391 instbi__jpeg_decode_block_prog_ac
uses the second element fromdata
array, but the value wasn't initialized.Impact
It doesn't seem to be a potential security issue, but nevertheless looks like some logical bug in decoding.
Resources
To reproduce the issue:
stbi__jpeg_decode_block_prog_ac
and run the program to hit the usage of the uninitialized memory.