search

tjko / jpeginfo

jpeginfo - prints information and tests integrity of JPEG/JFIF files
http://www.iki.fi/tjko/projects.html
GNU General Public License v3.0
139 stars 17 forks source link

[BUG]: Nonfatal Error caused by use-of-uninitialized-value #12

Open SophrosyneX opened 2 years ago

SophrosyneX commented 2 years ago

Crash Inputs

Here is the files (32 in total) that trigger the error - jpeginfo_msan.zip

Bug Description:

When executing jpeginfo (new release version) with the file inputs and parameter "-c -C -l", the program terminates with Nonfatal Error shown below.

 Corrupt JPEG data: 85 extraneous bytes before marker 0xdb  227 x 149  24bit n/a   N    5681 /jpeginfo/msan/crashes/2  Quantization table 0x00 was not defined  /jpeginfo/msan/crashes/2 [ERROR]

Then I apply MSan (Memory Sanitizer ) to check for memory errors and the error report is as follows.

==78779==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x496bc2 in main /jpeginfo/jpeginfo.c:312:10
    #1 0x7fc48e10fc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #2 0x41b629 in _start (/jpeginfo_msan/jpeginfo_msan+0x41b629)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /jpeginfo/jpeginfo.c:312:10 in main

Step to Reproduce

tjko commented 1 year ago

Seems like bug in MemorySanitizer, doesn't seem to be any "use-of-unitialized-value" going on here?

374             if (cmarker->marker == EXIF_JPEG_MARKER && cmarker->data_length >= EXIF_IDENT_STRING_LEN) {
(gdb) print *cmarker
$5 = {next = 0x0, marker = 254 '\376', original_length = 65, data_length = 65, data = 0x70a000000040 ""}
(gdb) n
==5742==WARNING: MemorySanitizer: use-of-uninitialized-value
[Detaching after fork from child process 5747]
    #0 0x4980f7 in main /home/tjko/git/jpeginfo/jpeginfo.c:374:44
    #1 0x7ffff7bdc09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #2 0x41e3a9 in _start (/home/tjko/git/jpeginfo/jpeginfo+0x41e3a9)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /home/tjko/git/jpeginfo/jpeginfo.c:374:44 in main
Exiting
[Inferior 1 (process 5742) exited with code 0115]
(gdb)
tjko commented 1 year ago

After looking into this bit more, it would seem like this is "issue" with libjpeg (or its just issue with MemorySanitizer....)

Call to _jpeg_readheader(&cinfo, TRUE) succeeds, but it ends up populating _cinfo->markerlist (linked list) with marker that has its data attribute pointing to this "uninitialized" data. MemorySanitizer gets triggered when trying to read memory that 'data' field of first marker in the list points to...