Potential issue of division by zero, and a zero check condition was necessary

NEW
Unassigned

Status

()

3 years ago
2 years ago

People

(Reporter: pankaj.m1, Unassigned, NeedInfo)

Tracking

({crash, csectype-dos})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: gfx-noted)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8617162 [details] [diff] [review]
jpeg-turbo.patch

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253

Steps to reproduce:

Ran static analyzer tool on libjpeg-turbo 1.4.0 and found division by zero issue in jquant2.c


Actual results:

Divide by zero error was reported by static tool. At runtime it could have been lead to potential crash.


Expected results:

Added check for 'total' variable before division operation to fill 'colormap' fields in 'cinfo'
(Reporter)

Comment 1

3 years ago
Patch has been provided in attachment.
Divide by zero is a non-exploitable condition so this bug does not need to be hidden.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, csectype-dos
Attachment #8617162 - Attachment is patch: true
Attachment #8617162 - Attachment mime type: text/x-patch → text/plain
Whiteboard: gfx-noted
I reported the same issue to "jpegclub.org" several weeks about
libjpeg 9a and got the response:

If it is clear from the circumstances that the divisor can't be zero,
then there is no issue here.  A static analyzer, as the name suggests,
has limited scope and can't assess all circumstances properly.
Does this still reproduce?
Flags: needinfo?(pankaj.m1)
You need to log in before you can comment on or make changes to this bug.