buffer overread in jpeg loader
@tobiasmue
Submitted by Tobias Mueller Link to original bug (#775697)
Description
Created attachment 341458 crashing file, password "crash", found by afl
Program received signal SIGSEGV, Segmentation fault.
0x00007fffefa65263 in de_get16 (ptr=0x60e10000d51f, endian=1234) at io-jpeg.c:294
294 memcpy(&val, ptr, sizeof(val));
(gdb) t a a bt full
Thread 1 (Thread 0x7ffff7fc3880 (LWP 6023)):
#0 0x00007fffefa65263 in de_get16 (ptr=0x60e10000d51f, endian=1234) at io-jpeg.c:294
val = 21297
#1 0x00007fffefa662ab in jpeg_parse_exif_app1 (context=0x7fffffffb490, marker=0x60e00000d500) at io-jpeg.c:465
i = 4294967295
ret = 1
offset = 4294967286
tags = 4294967295
endian = 1234
leth = <error reading variable leth (Cannot access memory at address 0xffffffffffffff81)>
beth = <error reading variable beth (Cannot access memory at address 0xffffffffffffffc1)>
#2 0x00007fffefa668c6 in jpeg_parse_exif (context=0x7fffffffb490, cinfo=0x6190000014c0) at io-jpeg.c:516
cmarker = 0x60e00000d500
#3 0x00007fffefa6a4ad in gdk_pixbuf__jpeg_image_load_increment (data=0x619000001480, buf=0x62300000d500 "\200", size=1826, error=0x7fffffffb6b0) at io-jpeg.c:1037
rc = 1
context = 0x619000001480
cinfo = 0x6190000014c0
src = 0x631000014800
num_left = 0
num_copy = 1826
last_num_left = 1826
last_bytes_left = 1826
spinguard = 0
first = 0
bufhd = 0x62300000dc22 ""
icc_profile_base64 = 0x0
density_str = 0x0
retval = 61024
__func__ = "gdk_pixbuf__jpeg_image_load_increment"
#4 0x00007ffff6bbdbb2 in gdk_pixbuf_loader_write (loader=0x6190000003a0, buf=0x62300000d500 "\200", count=1826, error=0x7fffffffb6b0) at gdk-pixbuf-loader.c:521
priv = 0x621000020900
__func__ = "gdk_pixbuf_loader_write"
#5 0x0000000000400e0b in test_loader (bytes=0x62300000c500 "\377\330\377", <incomplete sequence \340>, len=5922, err=0x7fffffffb6b0) at pixbuf-read.c:31
loader = 0x6190000003a0
#6 0x000000000040121d in main (argc=88, argv=0x7fffffffb808) at pixbuf-read.c:75
contents = 0x62300000c500 "\377\330\377", <incomplete sequence \340>
size = 5922
err = 0x0
i = 29
(gdb) up
#1 0x00007fffefa662ab in jpeg_parse_exif_app1 (context=0x7fffffffb490, marker=0x60e00000d500) at io-jpeg.c:465
465 tags = de_get16(&marker->data[i], endian);
(gdb)
#2 0x00007fffefa668c6 in jpeg_parse_exif (context=0x7fffffffb490, cinfo=0x6190000014c0) at io-jpeg.c:516
516 jpeg_parse_exif_app1 (context, cmarker);
(gdb) down
#1 0x00007fffefa662ab in jpeg_parse_exif_app1 (context=0x7fffffffb490, marker=0x60e00000d500) at io-jpeg.c:465
465 tags = de_get16(&marker->data[i], endian);
(gdb) p marker
$7 = (jpeg_saved_marker_ptr) 0x60e00000d500
(gdb) p *marker
$8 = {next = 0x60e00000d420, marker = 225 '\341', original_length = 69, data_length = 69, data = 0x60e00000d520 "Exif66P"}
(gdb) p i
$9 = 4294967295
(gdb) p i+2
$10 = 1
(gdb) r
Attachment 341458, "crashing file, password "crash", found by afl":
crash.jpg.gpg
Version: git master