2019-08-19 03:11 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002459NetSurf[All Projects] Generalpublic2016-11-22 21:59
ReporterSergei Rogachev 
Assigned To 
SeveritycrashReproducibilityhave not tried 
StatusclosedResolutionopen 
Product Version 
Target VersionFixed in Version3.6 
Summary0002459: NetSurf crashes on failed initialization of libjpeg context
DescriptionThe function jpeg_create_decompress() jumps to incorrectly filled jump buffer to handle an exception. It results to segmentation fault.

---

Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a pair of non-local jump functions: setjmp() and longjmp(). When a decompression context is created via a call to the function jpeg_create_decompress() the caller passes a structure jpeg_decompress_struct as a parameter. This structure should has a validly initialized jump buffer, so the initialization or other functions called in future can jump to the exception handling context.

The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is filled after the call to jpeg_create_decompress(). It results in jump to random addresses in the case of exception caught during operation of the function jpeg_create_decompress().

The patch from the attachment moves the initialization of jump buffer before the call to jpeg_create_decompress().
Additional InformationThe attached file is a patch fixing the mentioned issue. I already tried to send the patch to the developers' mailing list, but received and automatical reply that I have not enough authority to post messages to that list.
TagsNo tags attached.
Fixed in CI build #3662
Reported in CI build #
URL of problem page
Attached Files
  • patch file icon 0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch (1,959 bytes) 2016-08-11 21:42 -
    From e1738486b4c0946fa7d734de21260cc45556788f Mon Sep 17 00:00:00 2001
    From: Sergei Rogachev <rogachevsergei@gmail.com>
    Date: Thu, 11 Aug 2016 22:09:30 +0300
    Subject: [PATCH] Fix longjmp to invalid address on jpeg init error
    
    Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a
    pair of non-local jump functions: setjmp() and longjmp(). When a decompression
    context is created via a call to the function jpeg_create_decompress() the
    caller passes a structure jpeg_decompress_struct as a parameter. This structure
    should has a validly initialized jump buffer, so the initialization or other
    functions called in future can jump to the exception handling context.
    
    The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is
    filled after the call to jpeg_create_decompress(). It results in jump to random
    addresses in the case of exception caught during operation of the function
    jpeg_create_decompress().
    
    The patch moves the initialization of jump buffer before the call to
    jpeg_create_decompress().
    
    Signed-off-by: Sergei Rogachev <rogachevsergei@gmail.com>
    ---
     content/handlers/image/jpeg.c | 4 ++--
     1 file changed, 2 insertions(+), 2 deletions(-)
    
    diff --git a/content/handlers/image/jpeg.c b/content/handlers/image/jpeg.c
    index 278d9e6..5ae9e70 100644
    --- a/content/handlers/image/jpeg.c
    +++ b/content/handlers/image/jpeg.c
    @@ -202,8 +202,8 @@ jpeg_cache_convert(struct content *c)
     		return bitmap;
     	}
     
    -	jpeg_create_decompress(&cinfo);
     	cinfo.client_data = &setjmp_buffer;
    +	jpeg_create_decompress(&cinfo);
     
     	/* setup data source */
     	source_mgr.next_input_byte = source_data;
    @@ -305,8 +305,8 @@ static bool nsjpeg_convert(struct content *c)
     		return false;
     	}
     
    -	jpeg_create_decompress(&cinfo);
     	cinfo.client_data = &setjmp_buffer;
    +	jpeg_create_decompress(&cinfo);
     	source_mgr.next_input_byte = (unsigned char *) data;
     	source_mgr.bytes_in_buffer = size;
     	cinfo.src = &source_mgr;
    -- 
    2.7.3
    
    

-Relationships
+Relationships

-Notes
Vincent Sanders

~0001387

Vincent Sanders (administrator)

verified that libjpeg(-turbo) retain the client_data pointer during jpeg_create_decompress() and our error processing could indeed trigger and use the uninitialized pointer

patch applied as is, thankyou for the report
Vincent Sanders

~0001431

Vincent Sanders (administrator)

this issue has been closed because it is included in the 3.6 release
+Notes

-Issue History
Date Modified Username Field Change
2016-08-11 21:42 Sergei Rogachev New Issue
2016-08-11 21:42 Sergei Rogachev File Added: 0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch
2016-08-14 22:41 Vincent Sanders Fixed in CI build # => 3662
2016-08-14 22:41 Vincent Sanders Note Added: 0001387
2016-08-14 22:41 Vincent Sanders Status new => resolved
2016-08-14 22:41 Vincent Sanders Fixed in Version => 3.6
2016-11-22 21:59 Vincent Sanders Note Added: 0001431
2016-11-22 21:59 Vincent Sanders Status resolved => closed
+Issue History