Bug#648322: libjpeg8: Raw decoding exceeds output buffer bounds

Thu, 10 Nov 2011 07:27:21 -0800 

Package: libjpeg8
Version: 8c-2

Hello,
In libv4l-0 I got a bug report about crashing JPEG decoding routine (#647273). I created a testcase and was only able to reproduce the bug with libjpeg 8, (not 62 or turbojpeg). 

Steps to reproduce:
 git clone git://github.com/gjasny/v4l-utils-brokenjpeg.git
 cd v4l-utils-brokenjpeg/lib/libv4lconvert/
 make
 valgrind ./decodeframe ../../test/frame_0_640x480.jpeg

This is the output on Debian testing (i386):


==2748== Memcheck, a memory error detector
==2748== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==2748== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==2748== Command: ./decodeframe ../../test/frame_0_640x480.jpeg
==2748==
==2748== Invalid write of size 1
==2748==    at 0x4072BC3: jpeg_idct_16x8 (in /usr/lib/libjpeg.so.8.3.0)
==2748==    by 0x405C771: ??? (in /usr/lib/libjpeg.so.8.3.0)
==2748==    by 0x405A06B: jpeg_read_raw_data (in /usr/lib/libjpeg.so.8.3.0)
==2748==    by 0x805B291: v4lconvert_decode_jpeg_libjpeg (jpeg.c:246)
==2748==    by 0x8049357: main (decodeframe.c:30)
==2748==  Address 0x4796828 is 0 bytes after a block of size 460,800 alloc'd
==2748==    at 0x4025018: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2748==    by 0x80492C6: main (decodeframe.c:17)
==2748==
==2748== Invalid write of size 1
==2748==    at 0x4072BDE: jpeg_idct_16x8 (in /usr/lib/libjpeg.so.8.3.0)
==2748==    by 0x405C771: ??? (in /usr/lib/libjpeg.so.8.3.0)
==2748==    by 0x405A06B: jpeg_read_raw_data (in /usr/lib/libjpeg.so.8.3.0)
==2748==    by 0x805B291: v4lconvert_decode_jpeg_libjpeg (jpeg.c:246)
==2748==    by 0x8049357: main (decodeframe.c:30)
==2748==  Address 0x4796837 is 15 bytes after a block of size 460,800 alloc'd
==2748==    at 0x4025018: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2748==    by 0x80492C6: main (decodeframe.c:17)

> ...
Do you have an idea what's going on here? Is this a bug on my side or inside libjpeg? 

Thanks,
Gregor



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to