[Pkg-tigervnc-devel] Bug#768369: Acknowledgement ([libjpeg62-turbo] [DOS] Stack smashing)

Bernhard Übelacker bernhardu at vr-web.de
Sat Nov 15 16:51:30 UTC 2014 

Hello,
DRC suggested to have a look at the newer upstream version.

In jchuff.c the buffer in question is there really grown.
But only by 8 bytes. [1]

When increasing by 28 bytes the stack smashing and writing beyond the
buffer goes away.

The resulting image "looks" good. (Input file from the first post.)

If this is the right solution or if the buffer can grow even more I
cannot say.

Kind regards,
Bernhard

[1] http://sourceforge.net/p/libjpeg-turbo/code/1367/ and
    http://sourceforge.net/p/libjpeg-turbo/code/1364/




On Sat, 15 Nov 2014 16:56:20 +0100
=?UTF-8?B?QmVybmhhcmQgw5xiZWxhY2tlcg==?= <bernhardu at vr-web.de> wrote:
> Hello,
> probably the attached patch could help in diagnose the issue.
> It prints an error message and aborts, when the current buffer
> pointer is advanced past the _buffer.
> 
> In debugger it shows this happens a little before what roucaries bastien in message 47 wrote.
> (Because he stopped at the stack protector overwritten,
> this is _buffer[137] while its size is only 128.)
> 
> Kind regards,
> Bernhard
> 
> 
> 
> 
> $ gdb --args convert -rotate 270 003632r270.jpg junk.jpg
> 
> (gdb) run
> 
> jchuff.c, line 591: written beyond end of _buffer, size=128, _buffer=0x0x7fffffff3e10, buffer=0x0x7fffffff3e91, pos=129
> 
> Program received signal SIGABRT, Aborted.
> 
> (gdb) bt
> #0  0x00007ffff7067107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00007ffff70684e8 in __GI_abort () at abort.c:89
> #2  0x00007ffff36d4268 in encode_one_block (actbl=0x646920, dctbl=<optimized out>, last_dc_val=<optimized out>, block=0x7ffff2cf9bb0, state=0x7fffffff3dd0) at jchuff.c:591
> 
> (gdb) up
> (gdb) up
> #2  0x00007ffff36d4268 in encode_one_block (actbl=0x646920, dctbl=<optimized out>, last_dc_val=<optimized out>, block=0x7ffff2cf9bb0, state=0x7fffffff3dd0) at jchuff.c:591
> 591       kloop(44);
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 003_increase-size-of-local-buffer-in-jchuff_c.patch
Type: text/x-patch
Size: 554 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-tigervnc-devel/attachments/20141115/54564227/attachment.bin>

More information about the Pkg-tigervnc-devel mailing list