[Pkg-tigervnc-devel] Bug#768369: [libjpeg62-turbo] [DOS] Stack smashing

Lexie Parsimoniae lexie.parsimoniae at gmail.com
Sun Nov 9 21:48:34 UTC 2014 

What works:

  convert 003632r270.jpg -rotate 270 junk.jpg

This works too with libjpeg-6b:

  convert -define jpeg:optimize-coding=true 003632r270.jpg -rotate 270
junk.jpg

The same command fails if we use libturbojpeg 1.3.1:

gdb convert
run -define jpeg:optimize-coding=true 003632r270.jpg -rotate 270 junk.jpg
*** stack smashing detected ***: /usr/local/bin/convert terminated
...
where
#0  0x0000003bb1035877 in raise () from /lib64/libc.so.6
#1  0x0000003bb1036f68 in abort () from /lib64/libc.so.6
#2  0x0000003bb1075a54 in __libc_message () from /lib64/libc.so.6
#3  0x0000003bb1106947 in __fortify_fail () from /lib64/libc.so.6
#4  0x0000003bb1106910 in __stack_chk_fail () from /lib64/libc.so.6
#5  0x00000000007c6b2b in encode_mcu_huff (cinfo=0x7fffffff83b0,
    MCU_data=0xc54110) at jchuff.c:641
#6  0x00000000007b9399 in compress_output (cinfo=0x7fffffff83b0,
    input_buf=<optimized out>) at jccoefct.c:381
#7  0x0000000000795426 in jpeg_finish_compress (
    cinfo=cinfo at entry=0x7fffffff83b0) at jcapimin.c:183
#8  0x00000000005741df in WriteJPEGImage (image_info=0xc4fb40,
image=0xc41b10)
    at coders/jpeg.c:2794
#9  0x00000000005de602 in WriteImage (image_info=image_info at entry=0xc06950,
    image=image at entry=0xc41b10) at magick/constitute.c:1114
...

To reproduce:

wget http://www.imagemagick.org/download/ImageMagick-6.8.9-10.tar.gz
tar xvf ImageMagick-6.8.9-10.tar.gz
cd ImageMagick-6.8.9-10
<download / unpack libjpeg-turbo>
mv libjpeg-turbo-1.3.1 jpeg
cd jpeg
export CFLAGS="-O3 -fPIC -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector"
./configure --disable-shared
make
cd ..
./configure --enable-delegate-build --disable-shared
make -j3
make install
gdb convert
run -define jpeg:optimize-coding=true 003632r270.jpg -rotate 270 junk.jpg
*** stack smashing detected ***: /usr/local/bin/convert terminated

Did ImageMagick corrupt the stack?  Possible, we're investigating, however,
its curious that the same command works for libjpeg-6b.  We did use
valgrind and valgrind did not reveal any memory corruption in ImageMagick.

Cristy
ImageMagick Principle Architect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-tigervnc-devel/attachments/20141109/f7ce8da6/attachment.html>

More information about the Pkg-tigervnc-devel mailing list