MantisBT - NetSurf
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002459NetSurf[All Projects] Generalpublic2016-08-11 21:422016-11-22 21:59
ReporterSergei Rogachev 
Assigned To 
PrioritynormalSeveritycrashReproducibilityhave not tried
StatusclosedResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version3.6 
Fixed in CI build #3662
Reported in CI build #
URL of problem page
Summary0002459: NetSurf crashes on failed initialization of libjpeg context
DescriptionThe function jpeg_create_decompress() jumps to incorrectly filled jump buffer to handle an exception. It results to segmentation fault.

---

Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a pair of non-local jump functions: setjmp() and longjmp(). When a decompression context is created via a call to the function jpeg_create_decompress() the caller passes a structure jpeg_decompress_struct as a parameter. This structure should has a validly initialized jump buffer, so the initialization or other functions called in future can jump to the exception handling context.

The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is filled after the call to jpeg_create_decompress(). It results in jump to random addresses in the case of exception caught during operation of the function jpeg_create_decompress().

The patch from the attachment moves the initialization of jump buffer before the call to jpeg_create_decompress().
Additional InformationThe attached file is a patch fixing the mentioned issue. I already tried to send the patch to the developers' mailing list, but received and automatical reply that I have not enough authority to post messages to that list.
TagsNo tags attached.
Relationships
Attached Filespatch 0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch (1,959) 2016-08-11 21:42
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=438&type=bug

Notes
(0001387)
Vincent Sanders   
2016-08-14 22:41   
verified that libjpeg(-turbo) retain the client_data pointer during jpeg_create_decompress() and our error processing could indeed trigger and use the uninitialized pointer

patch applied as is, thankyou for the report
(0001431)
Vincent Sanders   
2016-11-22 21:59   
this issue has been closed because it is included in the 3.6 release

Issue History
Date ModifiedUsernameFieldChange
2016-08-11 21:42Sergei RogachevNew Issue
2016-08-11 21:42Sergei RogachevFile Added: 0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch
2016-08-14 22:41Vincent SandersFixed in CI build # => 3662
2016-08-14 22:41Vincent SandersNote Added: 0001387
2016-08-14 22:41Vincent SandersStatusnew => resolved
2016-08-14 22:41Vincent SandersFixed in Version => 3.6
2016-11-22 21:59Vincent SandersNote Added: 0001431
2016-11-22 21:59Vincent SandersStatusresolved => closed