Bug#768369: Acknowledgement ([libjpeg62-turbo] [DOS] Stack smashing)

Sat, 15 Nov 2014 08:54:53 -0800 

Hello,
DRC suggested to have a look at the newer upstream version.

In jchuff.c the buffer in question is there really grown.
But only by 8 bytes. [1]

When increasing by 28 bytes the stack smashing and writing beyond the
buffer goes away.

The resulting image "looks" good. (Input file from the first post.)

If this is the right solution or if the buffer can grow even more I
cannot say.

Kind regards,
Bernhard

[1] http://sourceforge.net/p/libjpeg-turbo/code/1367/ and
    http://sourceforge.net/p/libjpeg-turbo/code/1364/




On Sat, 15 Nov 2014 16:56:20 +0100
=?UTF-8?B?QmVybmhhcmQgw5xiZWxhY2tlcg==?= <bernha...@vr-web.de> wrote:
> Hello,
> probably the attached patch could help in diagnose the issue.
> It prints an error message and aborts, when the current buffer
> pointer is advanced past the _buffer.
> 
> In debugger it shows this happens a little before what roucaries bastien in 
> message 47 wrote.
> (Because he stopped at the stack protector overwritten,
> this is _buffer[137] while its size is only 128.)
> 
> Kind regards,
> Bernhard
> 
> 
> 
> 
> $ gdb --args convert -rotate 270 003632r270.jpg junk.jpg
> 
> (gdb) run
> 
> jchuff.c, line 591: written beyond end of _buffer, size=128, 
> _buffer=0x0x7fffffff3e10, buffer=0x0x7fffffff3e91, pos=129
> 
> Program received signal SIGABRT, Aborted.
> 
> (gdb) bt
> #0  0x00007ffff7067107 in __GI_raise (sig=sig@entry=6) at 
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00007ffff70684e8 in __GI_abort () at abort.c:89
> #2  0x00007ffff36d4268 in encode_one_block (actbl=0x646920, dctbl=<optimized 
> out>, last_dc_val=<optimized out>, block=0x7ffff2cf9bb0, 
> state=0x7fffffff3dd0) at jchuff.c:591
> 
> (gdb) up
> (gdb) up
> #2  0x00007ffff36d4268 in encode_one_block (actbl=0x646920, dctbl=<optimized 
> out>, last_dc_val=<optimized out>, block=0x7ffff2cf9bb0, 
> state=0x7fffffff3dd0) at jchuff.c:591
> 591       kloop(44);
> 
> 
> 

Description: Increase size of local buffer in jchuff.c
Author: Bernhard Übelacker <bernha...@vr-web.de>
Bug-Debian: https://bugs.debian.org/768369
Last-Update: <2014-11-15>

--- libjpeg-turbo-1.3.1.orig/jchuff.c
+++ libjpeg-turbo-1.3.1/jchuff.c
@@ -402,7 +402,8 @@ dump_buffer (working_state * state)
 #endif
 
 
-#define BUFSIZE (DCTSIZE2 * 2)
+#define BUFSIZE ((DCTSIZE2 * 2) + 28)
+    /* increase even more as upstream has http://sourceforge.net/p/libjpeg-turbo/code/1367/ */
 
 #define LOAD_BUFFER() { \
   if (state->free_in_buffer < BUFSIZE) { \

Reply via email to