Invalid read in jfif_decode (jfif.c:547)

[wanghualei2]

Hello,I found a Invalid read and use the valgrind run to show the detail.

command line: ffjpeg -d crash click this crash file to get the crash file

The message as follow:

==2723552== Memcheck, a memory error detector ==2723552== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2723552== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info ==2723552== Command: ../../software/ffjpeg/src/ffjpeg -d crash ==2723552== ==2723552== Invalid read of size 4 ==2723552== at 0x112616: jfif_decode (jfif.c:547) ==2723552== by 0x109431: main (ffjpeg.c:24) ==2723552== Address 0x4e34950 is 0 bytes after a block of size 0 alloc'd ==2723552== at 0x40357E5: malloc (vg_replace_malloc.c:380) ==2723552== by 0x110265: jfif_decode (jfif.c:444) ==2723552== by 0x109431: main (ffjpeg.c:24) ==2723552== ==2723552== Invalid read of size 4 ==2723552== at 0x11263A: jfif_decode (jfif.c:547) ==2723552== by 0x109431: main (ffjpeg.c:24) ==2723552== Address 0x4e34910 is 0 bytes after a block of size 0 alloc'd ==2723552== at 0x40357E5: malloc (vg_replace_malloc.c:380) ==2723552== by 0x110240: jfif_decode (jfif.c:443) ==2723552== by 0x109431: main (ffjpeg.c:24) ==2723552== ==2723552== Conditional jump or move depends on uninitialised value(s) ==2723552== at 0x114EE3: yuv_to_rgb (color.c:25) ==2723552== by 0x112645: jfif_decode (jfif.c:547) ==2723552== by 0x109431: main (ffjpeg.c:24) ==2723552== ==2723552== Conditional jump or move depends on uninitialised value(s) ==2723552== at 0x114F70: yuv_to_rgb (color.c:26) ==2723552== by 0x112645: jfif_decode (jfif.c:547) ==2723552== by 0x109431: main (ffjpeg.c:24) ==2723552== ==2723552== Conditional jump or move depends on uninitialised value(s) ==2723552== at 0x114FFC: yuv_to_rgb (color.c:27) ==2723552== by 0x112645: jfif_decode (jfif.c:547) ==2723552== by 0x109431: main (ffjpeg.c:24) ==2723552== ==2723552== ==2723552== More than 10000000 total errors detected. I'm not reporting any more. ==2723552== Final error counts will be inaccurate. Go fix your program! ==2723552== Rerun with --error-limit=no to disable this cutoff. Note ==2723552== that errors may occur in your program without prior warning from ==2723552== Valgrind, because errors are no longer being displayed. ==2723552== ==2723552== ==2723552== HEAP SUMMARY: ==2723552== in use at exit: 0 bytes in 0 blocks ==2723552== total heap usage: 21 allocs, 21 frees, 58,264,252 bytes allocated ==2723552== ==2723552== All heap blocks were freed -- no leaks are possible ==2723552== ==2723552== Use --track-origins=yes to see where uninitialised values come from ==2723552== For lists of detected and suppressed errors, rerun with: -s ==2723552== ERROR SUMMARY: 10000000 errors from 5 contexts (suppressed: 0 from 0)

Please confirm the issue.

[wanghualei2]

I am looking forward to your reply and answer！

[rockcarry]

I use lastest code, commit id is 4ab404eb87fe039d6cfba121d2ba572fb060e623 make cd src ./ffjpeg -d crash I do not get crash, and get decode.bmp file size is 32512x255.

[wanghualei2]

Hello, in fact, this problem will not cause the program to crash, but just read the illegal address. I think this may be a security problem, if you want to recurring the problem, you need to use valgrind to find the memory leak

[wanghualei2]

My environment is:ubuntu 18.04 valgrind7 you can try the command: apt-get install valgrind valgrind ./ffjpeg -d crash

[wanghualei2]

If you still cannot reproduce it, please do contact me

[rockcarry]

I check all code according to the log, but the code looks all right, I can't find any problem.

[wanghualei2]

Well, that may not be a problem.