This segment fault error is because in bmp_load(), when bmp's size is out of range, it returns without assign memory buffer to pb->pdata and did not exit the program.
So the program crashes when it tries to access the pb->data, which is a invalid memory address.
Breakpoint 1, bmp_load (pb=0x7fffffffdae0, file=0x7fffffffe070 "./poc-ffjpeg-d5cfd49-jfif_encode-SEGV") at bmp.c:45
45 printf("bmp's width * height is out of range !\n");
(gdb) n
bmp's width * height is out of range !
46 goto done;
(gdb) c
Continuing.
Breakpoint 2, jfif_encode (pb=0x7fffffffdae0) at jfif.c:757
757 bsrc = pb->pdata;
(gdb) n
758 ydst = yuv_datbuf[0];
(gdb) p bsrc
$2 = (BYTE *) 0x0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000520b78 in jfif_encode (pb=0x7fffffffdae0) at jfif.c:763
763 rgb_to_yuv(bsrc[2], bsrc[1], bsrc[0], ydst, udst, vdst);
(gdb) bt
#0 0x0000000000520b78 in jfif_encode (pb=0x7fffffffdae0) at jfif.c:763
#1 0x0000000000515e58 in main (argc=3, argv=0x7fffffffdcf8) at ffjpeg.c:30
This segment fault error is because in
bmp_load(), when bmp's size is out of range, it returns without assign memory buffer topb->pdataand did not exit the program. So the program crashes when it tries to access thepb->data, which is a invalid memory address.Test Environment
Ubuntu 16.04, 64bit
ffjpeg (master d5cfd49)
How to trigger
$ ./ffjpeg -e $POCPOC FILE
https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc-ffjpeg-d5cfd49-jfif_encode-SEGV?raw=true
Details
gdb report