[Pkg-tigervnc-devel] Bug#768369: Acknowledgement ([libjpeg62-turbo] [DOS] Stack smashing)
roucaries bastien
roucaries.bastien+debian at gmail.com
Wed Nov 12 21:11:45 UTC 2014
We have investigated a little bit (thansk y dlemstra )
was able to reproduce the problem under Windows that uses libturbo
1.3.0. It looks like the problem is inside the STORE_BUFFER macro at
line 421 of jchuff.c:
Code: Select all
buffer = _buffer; \
while (bytes > 0) { \
bytestocopy = min(bytes, state->free_in_buffer); \
MEMCOPY(state->next_output_byte, buffer, bytestocopy); \
state->next_output_byte += bytestocopy; \
buffer += bytestocopy; \
state->free_in_buffer -= bytestocopy; \
if (state->free_in_buffer == 0) \
if (! dump_buffer(state)) return FALSE; \
bytes -= bytestocopy; \
} \
The size of _buffer is BUF_SIZE = (DCTSIZE2 * 2) = (64 * 2) = 128. The
following is happening at *block == -591:
1. bytes = 171, state->free_in_buffer = 14 and bytestocopy becomes 14
2. memcopy is called and the buffer is moved to index 14
4. state->free_in_buffer becomes 0, dump_buffer is called and returns true
5. bytes = 157, state->free_in_buffer = 16384 and bytestocopy becomes 157
(14 + 157) > 128 and this causes a buffer overflow.
Not sure why bytes becomes more then 128 but this info should probably
give the maintainers of libjpegturbo a bit more information to
investigate this issue.
On Fri, Nov 7, 2014 at 9:33 PM, DRC <dcommander at users.sourceforge.net> wrote:
> I don't know why you would expect me to have tried that, given that there
> was no reasonable expectation that I would know any of that information
> prior to now.
>
> But I did just try it, and it works fine.
>
> I will re-iterate:
> You need to produce a test case that demonstrates this failure using only
> libjpeg-turbo. You cannot expect me to spend any time on this until it is
> proven that it is my bug and not someone else's. Sometimes issues like this
> can be caused by the overlying application, even though the bug manifests in
> the underlying library.
>
>
>
> On 11/7/14 12:47 PM, roucaries bastien wrote:
>>
>> On Fri, Nov 7, 2014 at 6:36 PM, DRC <dcommander at users.sourceforge.net>
>> wrote:
>>>
>>> I want exactly what I asked for: a way to reproduce this issue.
>>> Currently I
>>> cannot. A backtrace from your machine is not helpful, as it does not
>>> tell
>>> me anything regarding how the library is being used by ImageMagick.
>>
>>
>> Did you try to compile libjpeg-turbo with -fstack-protector-all ggc
>> flags. Debian do it and thus detect stack overflow (valgrind is not at
>> help here).
>>
>> BTW could you nevertheless get a glimpse at the last backtrace. I but
>> a watch point on the canary (I tried but because this function is
>> called a lot of time I may be missing something) using method [1]. It
>> seems the code that smash the code is at encode_one_block line 543:
>> kloop(59); kloop(52); kloop(45); kloop(38); kloop(31); kloop(39);
More information about the Pkg-tigervnc-devel
mailing list