[Pkg-tigervnc-devel] Bug#768369: Acknowledgement ([libjpeg62-turbo] [DOS] Stack smashing)

Bernhard Übelacker bernhardu at vr-web.de
Sat Nov 22 06:43:51 UTC 2014


Hello,
I created a minimal test case in around 200 lines.

It uses a file with the intercepted scanlines of the calls to jpeg_write_scanlines.

Also the Exif marker is read from such a file.
(And without this Exif marker the stack smash does not happen...)

The partial output file is byte equal to that generated by imagemagick before it crashes.

The number of calls to encode_mcu_huff and the stack seem also to be the same.

Kind regards,
Bernhard



Place all three files in the same directory and open a shell there:
(I just created the breakpoint to see how often it is called.)


$ bunzip2 jpeg_write_marker.bin.bz2
$ bunzip2 jpeg_write_scanlines.bin.bz2
$ gcc -g -O0 -fstack-protector-all test-768369.c -ljpeg
$ gdb --args ./a.out
...
(gdb) b encode_mcu_huff
Breakpoint 1 (encode_mcu_huff) pending.
(gdb) ignore 1 10000
Will ignore next 10000 crossings of breakpoint 1.
(gdb) run
Starting program: /home/bernhard/data/entwicklung/2014/debian/libjpegturbo/a.out 
*** stack smashing detected ***: /home/bernhard/data/entwicklung/2014/debian/libjpegturbo/a.out terminated
...
(gdb) info break
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x00007ffff7b8c190 in encode_mcu_huff at jchuff.c:593
        breakpoint already hit 9842 times
        ignore next 158 hits

(gdb) bt
#0  0x00007ffff7811107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff78124e8 in __GI_abort () at abort.c:89
#2  0x00007ffff784f044 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7ffff793f6ab "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff78d2147 in __GI___fortify_fail (msg=msg at entry=0x7ffff793f693 "stack smashing detected") at fortify_fail.c:31
#4  0x00007ffff78d2110 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00007ffff7b96553 in encode_mcu_huff (cinfo=0x7fffffffdd70, MCU_data=0x602720) at jchuff.c:641
#6  0x00007ffff7b89717 in compress_output (cinfo=0x7fffffffdd70, input_buf=<optimized out>) at jccoefct.c:381
#7  0x00007ffff7b89006 in jpeg_finish_compress (cinfo=0x7fffffffdd70) at jcapimin.c:183
#8  0x0000000000401196 in main () at test-768369.c:205




-------------- next part --------------
A non-text attachment was scrubbed...
Name: jpeg_write_marker.bin.bz2
Type: application/x-bzip
Size: 1511 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-tigervnc-devel/attachments/20141122/3574a688/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jpeg_write_scanlines.bin.bz2
Type: application/x-bzip
Size: 1516565 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-tigervnc-devel/attachments/20141122/3574a688/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-768369.c
Type: text/x-csrc
Size: 5264 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-tigervnc-devel/attachments/20141122/3574a688/attachment-0001.c>


More information about the Pkg-tigervnc-devel mailing list