0002459: NetSurf crashes on failed initialization of libjpeg context

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0002459

NetSurf

[All Projects] General

public

2016-08-11 21:42

2016-11-22 21:59

Reporter

Sergei Rogachev

Assigned To

Severity

crash

Reproducibility

have not tried

Status

closed

Resolution

open

Product Version

Target Version

Fixed in Version

3.6

Summary

0002459: NetSurf crashes on failed initialization of libjpeg context

Description

The function jpeg_create_decompress() jumps to incorrectly filled jump buffer to handle an exception. It results to segmentation fault.

---

Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a pair of non-local jump functions: setjmp() and longjmp(). When a decompression context is created via a call to the function jpeg_create_decompress() the caller passes a structure jpeg_decompress_struct as a parameter. This structure should has a validly initialized jump buffer, so the initialization or other functions called in future can jump to the exception handling context.

The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is filled after the call to jpeg_create_decompress(). It results in jump to random addresses in the case of exception caught during operation of the function jpeg_create_decompress().

The patch from the attachment moves the initialization of jump buffer before the call to jpeg_create_decompress().

Additional Information

The attached file is a patch fixing the mentioned issue. I already tried to send the patch to the developers' mailing list, but received and automatical reply that I have not enough authority to post messages to that list.

Tags

No tags attached.

Fixed in CI build #

3662

Reported in CI build #

URL of problem page

Attached Files

0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch (1,959 bytes) 2016-08-11 21:42

From e1738486b4c0946fa7d734de21260cc45556788f Mon Sep 17 00:00:00 2001
From: Sergei Rogachev <rogachevsergei@gmail.com>
Date: Thu, 11 Aug 2016 22:09:30 +0300
Subject: [PATCH] Fix longjmp to invalid address on jpeg init error

Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a
pair of non-local jump functions: setjmp() and longjmp(). When a decompression
context is created via a call to the function jpeg_create_decompress() the
caller passes a structure jpeg_decompress_struct as a parameter. This structure
should has a validly initialized jump buffer, so the initialization or other
functions called in future can jump to the exception handling context.

The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is
filled after the call to jpeg_create_decompress(). It results in jump to random
addresses in the case of exception caught during operation of the function
jpeg_create_decompress().

The patch moves the initialization of jump buffer before the call to
jpeg_create_decompress().

Signed-off-by: Sergei Rogachev <rogachevsergei@gmail.com>
---
 content/handlers/image/jpeg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/handlers/image/jpeg.c b/content/handlers/image/jpeg.c
index 278d9e6..5ae9e70 100644
--- a/content/handlers/image/jpeg.c
+++ b/content/handlers/image/jpeg.c
@@ -202,8 +202,8 @@ jpeg_cache_convert(struct content *c)
 		return bitmap;
 	}

-	jpeg_create_decompress(&cinfo);
 	cinfo.client_data = &setjmp_buffer;
+	jpeg_create_decompress(&cinfo);

 	/* setup data source */
 	source_mgr.next_input_byte = source_data;
@@ -305,8 +305,8 @@ static bool nsjpeg_convert(struct content *c)
 		return false;
 	}

-	jpeg_create_decompress(&cinfo);
 	cinfo.client_data = &setjmp_buffer;
+	jpeg_create_decompress(&cinfo);
 	source_mgr.next_input_byte = (unsigned char *) data;
 	source_mgr.bytes_in_buffer = size;
 	cinfo.src = &source_mgr;
-- 
2.7.3

0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch (1,959 bytes) 2016-08-11 21:42

Relationships

Relationships

Notes
~0001387 Vincent Sanders (administrator) 2016-08-14 22:41	verified that libjpeg(-turbo) retain the client_data pointer during jpeg_create_decompress() and our error processing could indeed trigger and use the uninitialized pointer patch applied as is, thankyou for the report

~0001431 Vincent Sanders (administrator) 2016-11-22 21:59	this issue has been closed because it is included in the 3.6 release

Notes

Date Modified	Username	Field	Change
Issue History
2016-08-11 21:42	Sergei Rogachev	New Issue
2016-08-11 21:42	Sergei Rogachev	File Added: 0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch
2016-08-14 22:41	Vincent Sanders	Fixed in CI build #	=> 3662
2016-08-14 22:41	Vincent Sanders	Note Added: 0001387
2016-08-14 22:41	Vincent Sanders	Status	new => resolved
2016-08-14 22:41	Vincent Sanders	Fixed in Version	=> 3.6
2016-11-22 21:59	Vincent Sanders	Note Added: 0001431
2016-11-22 21:59	Vincent Sanders	Status	resolved => closed

Issue History