search

rockcarry / ffjpeg

a simple jpeg codec.
GNU General Public License v3.0
106 stars 46 forks source link

Overflow of jfif.c in function jfif_decode #41

Closed NigelX closed 3 years ago

NigelX commented 3 years ago

Hi ffjpeg team I found an crash error.

System info: Ubuntu 20.04 : clang 11.0.0 , gcc 9.3.0

commit:863adf23144ee21dcee9064ceba90bbbf0edc919

file: poc.zip

Verification steps: 1.Get the source code of ffjpeg 2.Compile the ffjpeg

3.run ffjpeg

$ cd src
$ ./ffjpeg -d poc

gdb info:

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x1 
RCX: 0x0 
RDX: 0x0 
RSI: 0x0 
RDI: 0x7ffff26c5dd0 --> 0x0 
RBP: 0x7ffcd89b1663 --> 0x0 
RSP: 0x7fffffffdd00 --> 0x216008 --> 0x205520 (<__afl_auto_first>:  push   rax)
RIP: 0x20de9d (<main+26749>:    mov    esi,DWORD PTR [r8+rax*4])
R8 : 0x7ffaddd85950 
R9 : 0x7ffff6746dd4 --> 0x0 
R10: 0x1 
R11: 0x0 
R12: 0x1010 
R13: 0x3030 ('00')
R14: 0xff 
R15: 0x1010
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x20de94 <main+26740>:   cdqe   
   0x20de96 <main+26742>:   mov    edx,DWORD PTR [r9-0x4]
   0x20de9a <main+26746>:   mov    ecx,DWORD PTR [rdi+rcx*4]
=> 0x20de9d <main+26749>:   mov    esi,DWORD PTR [r8+rax*4]
   0x20dea1 <main+26753>:   imul   eax,esi,0xb37
   0x20dea7 <main+26759>:   sar    eax,0xb
   0x20deaa <main+26762>:   add    eax,edx
   0x20deac <main+26764>:   add    eax,0x40000
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdd00 --> 0x216008 --> 0x205520 (<__afl_auto_first>: push   rax)
0008| 0x7fffffffdd08 --> 0x419600 --> 0x101000001010 
0016| 0x7fffffffdd10 --> 0x7ffcd6a2d010 --> 0x8080808080808080 
0024| 0x7fffffffdd18 --> 0x3030 ('00')
0032| 0x7fffffffdd20 --> 0xa77 ('w\n')
0040| 0x7fffffffdd28 --> 0x3 
0048| 0x7fffffffdd30 --> 0x1010 
0056| 0x7fffffffdd38 --> 0x2171f8 --> 0x4192a0 --> 0x3b000400000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000020de9d in jfif_decode (ctxt=<optimized out>, pb=<optimized out>) at jfif.c:547
547             yuv_to_rgb(*ysrc, *usrc, *vsrc, bdst + 2, bdst + 1, bdst + 0);

Please confirm.

Thanks

rockcarry commented 3 years ago

fixed, pls check lastest code.

NigelX commented 3 years ago

Thanks for the fixed.