[Pkg-tigervnc-devel] Bug#768369: Acknowledgement ([libjpeg62-turbo] [DOS] Stack smashing)

roucaries bastien roucaries.bastien+debian at gmail.com
Sat Nov 22 11:19:51 UTC 2014 

control: tags -1 + confirmed
control: severity - 1 serious
justification: does not need imagemagick

On Sat, Nov 22, 2014 at 7:43 AM, Bernhard Übelacker <bernhardu at vr-web.de> wrote:
> Hello,
> I created a minimal test case in around 200 lines.
>
> It uses a file with the intercepted scanlines of the calls to jpeg_write_scanlines.
>
> Also the Exif marker is read from such a file.
> (And without this Exif marker the stack smash does not happen...)
>
> The partial output file is byte equal to that generated by imagemagick before it crashes.
>
> The number of calls to encode_mcu_huff and the stack seem also to be the same.
>
> Kind regards,
> Bernhard
>
>
>
> Place all three files in the same directory and open a shell there:
> (I just created the breakpoint to see how often it is called.)
>
>
> $ bunzip2 jpeg_write_marker.bin.bz2
> $ bunzip2 jpeg_write_scanlines.bin.bz2
> $ gcc -g -O0 -fstack-protector-all test-768369.c -ljpeg
> $ gdb --args ./a.out
> ...
> (gdb) b encode_mcu_huff
> Breakpoint 1 (encode_mcu_huff) pending.
> (gdb) ignore 1 10000
> Will ignore next 10000 crossings of breakpoint 1.
> (gdb) run
> Starting program: /home/bernhard/data/entwicklung/2014/debian/libjpegturbo/a.out
> *** stack smashing detected ***: /home/bernhard/data/entwicklung/2014/debian/libjpegturbo/a.out terminated
> ...
> (gdb) info break
> Num     Type           Disp Enb Address            What
> 1       breakpoint     keep y   0x00007ffff7b8c190 in encode_mcu_huff at jchuff.c:593
>         breakpoint already hit 9842 times
>         ignore next 158 hits
>
> (gdb) bt
> #0  0x00007ffff7811107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00007ffff78124e8 in __GI_abort () at abort.c:89
> #2  0x00007ffff784f044 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7ffff793f6ab "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
> #3  0x00007ffff78d2147 in __GI___fortify_fail (msg=msg at entry=0x7ffff793f693 "stack smashing detected") at fortify_fail.c:31
> #4  0x00007ffff78d2110 in __stack_chk_fail () at stack_chk_fail.c:28
> #5  0x00007ffff7b96553 in encode_mcu_huff (cinfo=0x7fffffffdd70, MCU_data=0x602720) at jchuff.c:641
> #6  0x00007ffff7b89717 in compress_output (cinfo=0x7fffffffdd70, input_buf=<optimized out>) at jccoefct.c:381
> #7  0x00007ffff7b89006 in jpeg_finish_compress (cinfo=0x7fffffffdd70) at jcapimin.c:183
> #8  0x0000000000401196 in main () at test-768369.c:205
>
>
>
>

More information about the Pkg-tigervnc-devel mailing list