View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0002459 | NetSurf | [All Projects] General | public | 2016-08-11 21:42 | 2016-11-22 21:59 | ||||
Reporter | Sergei Rogachev | ||||||||
Assigned To | |||||||||
Severity | crash | Reproducibility | have not tried | ||||||
Status | closed | Resolution | open | ||||||
Product Version | |||||||||
Target Version | Fixed in Version | 3.6 | |||||||
Summary | 0002459: NetSurf crashes on failed initialization of libjpeg context | ||||||||
Description | The function jpeg_create_decompress() jumps to incorrectly filled jump buffer to handle an exception. It results to segmentation fault. --- Libjpeg used in NetSurf for decoding of JPEG images handles exceptions using a pair of non-local jump functions: setjmp() and longjmp(). When a decompression context is created via a call to the function jpeg_create_decompress() the caller passes a structure jpeg_decompress_struct as a parameter. This structure should has a validly initialized jump buffer, so the initialization or other functions called in future can jump to the exception handling context. The jpeg backend of NetSurf now initializes libjpeg mistakenly: jump buffer is filled after the call to jpeg_create_decompress(). It results in jump to random addresses in the case of exception caught during operation of the function jpeg_create_decompress(). The patch from the attachment moves the initialization of jump buffer before the call to jpeg_create_decompress(). | ||||||||
Additional Information | The attached file is a patch fixing the mentioned issue. I already tried to send the patch to the developers' mailing list, but received and automatical reply that I have not enough authority to post messages to that list. | ||||||||
Tags | No tags attached. | ||||||||
Fixed in CI build # | 3662 | ||||||||
Reported in CI build # | |||||||||
URL of problem page | |||||||||
Attached Files |
|
Notes | |
Vincent Sanders (administrator) 2016-08-14 22:41 |
verified that libjpeg(-turbo) retain the client_data pointer during jpeg_create_decompress() and our error processing could indeed trigger and use the uninitialized pointer patch applied as is, thankyou for the report |
Vincent Sanders (administrator) 2016-11-22 21:59 |
this issue has been closed because it is included in the 3.6 release |
Issue History | |||
Date Modified | Username | Field | Change |
---|---|---|---|
2016-08-11 21:42 | Sergei Rogachev | New Issue | |
2016-08-11 21:42 | Sergei Rogachev | File Added: 0001-Fix-longjmp-to-invalid-address-on-jpeg-init-error.patch | |
2016-08-14 22:41 | Vincent Sanders | Fixed in CI build # | => 3662 |
2016-08-14 22:41 | Vincent Sanders | Note Added: 0001387 | |
2016-08-14 22:41 | Vincent Sanders | Status | new => resolved |
2016-08-14 22:41 | Vincent Sanders | Fixed in Version | => 3.6 |
2016-11-22 21:59 | Vincent Sanders | Note Added: 0001431 | |
2016-11-22 21:59 | Vincent Sanders | Status | resolved => closed |