search

rockcarry / ffjpeg

a simple jpeg codec.
GNU General Public License v3.0
106 stars 46 forks source link

null pointer deference in function jfif_encode() in file jfif.c #42

Open chibataiki opened 3 years ago

chibataiki commented 3 years ago

version: latest commit 0fa4cf8

In function jfif_encode() in file jfif.c when convert rgb to yuv , didn't check whether the pb->pdata is valid .

reproduce make ./ffjpeg -e poc

null_pointer_deference_jfif_encode.zip

debug info

Program received signal SIGSEGV, Segmentation fault.
0x00005555555586b5 in jfif_encode (pb=0x7fffffffe230) at jfif.c:755
755                 rgb_to_yuv(bsrc[2], bsrc[1], bsrc[0], ydst, udst, vdst);
[ Legend: Modified register | Code | Heap | Stack | String ]
── registers ────
$rax   : 0x0
$rbx   : 0x000055555555bc40  →  <__libc_csu_init+0> endbr64
$rcx   : 0x00007ffff7ee1a46  →  0x6277fffff0003d48 ("H="?)
$rdx   : 0x4a15b002
$rsp   : 0x00007fffffffe050  →  0x0000000000000000
$rbp   : 0x00007fffffffe200  →  0x00007fffffffe250  →  0x0000000000000000
$rsi   : 0x4a15b000
$rdi   : 0x0
$rip   : 0x00005555555586b5  →  <jfif_encode+1858> movzx eax, BYTE PTR [rax]
$r8    : 0x00007ffdc2f74010  →  0x0000000000000000
$r9    : 0x0
$r10   : 0x22
$r11   : 0x246
$r12   : 0x00005555555552a0  →  <_start+0> endbr64
$r13   : 0x00007fffffffe340  →  0x0000000000000003
$r14   : 0x0
$r15   : 0x0
$eflags: [zero CARRY parity ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
── stack ────
0x00007fffffffe050│+0x0000: 0x0000000000000000   ← $rsp
0x00007fffffffe058│+0x0008: 0x00007fffffffe230  →  0x00ed11fd00000041 ("A"?)
0x00007fffffffe060│+0x0010: 0x00000000200a964b
0x00007fffffffe068│+0x0018: 0x0000000000000000
0x00007fffffffe070│+0x0020: 0x00000001200a964b
0x00007fffffffe078│+0x0028: 0x00ed120000000050 ("P"?)
0x00007fffffffe080│+0x0030: 0x0000555555560480  →  0x00ed11fd00000041 ("A"?)
0x00007fffffffe088│+0x0038: 0x00005555555608a0  →  0x0000000000000000
─── code:x86:64 ────
   0x5555555586aa <jfif_encode+1847> test   DWORD PTR [rax], eax
   0x5555555586ac <jfif_encode+1849> add    BYTE PTR [rax], al
   0x5555555586ae <jfif_encode+1851> mov    rax, QWORD PTR [rbp-0x148]
 → 0x5555555586b5 <jfif_encode+1858> movzx  eax, BYTE PTR [rax]
   0x5555555586b8 <jfif_encode+1861> movzx  edx, al
   0x5555555586bb <jfif_encode+1864> mov    rax, QWORD PTR [rbp-0x148]
   0x5555555586c2 <jfif_encode+1871> add    rax, 0x1
   0x5555555586c6 <jfif_encode+1875> movzx  eax, BYTE PTR [rax]
   0x5555555586c9 <jfif_encode+1878> movzx  esi, al
───── threads ────
[#0] Id 1, Name: "ffjpeg-ggdb", stopped 0x5555555586b5 in jfif_encode (), reason: SIGSEGV
─── trace ────
[#0] 0x5555555586b5 → jfif_encode(pb=0x7fffffffe230)
[#1] 0x5555555554a0 → main()
────

gef➤  p bsrc
$1 = (BYTE *) 0x0

gef➤  frame 0
#0  0x00005555555586b5 in jfif_encode (pb=0x7fffffffe230) at jfif.c:755
755                 rgb_to_yuv(bsrc[2], bsrc[1], bsrc[0], ydst, udst, vdst);

gef➤  p *pb
$7 = {
  width = 0x41,
  height = 0xed11fd,
  stride = 0xc4,
  pdata = 0x0
}

potential patch add following code after line 669 in file jfif.c 

    if (!pf->pdata){
        printf("invalid bmp data !\n");// as you wish
        return NULL; 
    }