Closed
Bug 1301256
Opened 8 years ago
Closed 8 years ago
libjpeg-turbo: left shift of negative value in [@decode_mcu_AC_first]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
People
(Reporter: tsmith, Unassigned)
References
Details
(Keywords: sec-audit, testcase, Whiteboard: [adv-main50-])
Attachments
(1 file)
|
324 bytes,
image/jpeg
|
Details |
test_case.jpg
I found this while fuzzing a 32-bit build of libjpeg-turbo revision 8ce2c9119a995ef6280f8bba375aac7effb9b571.
This was found with UBSan with build flags:
CFLAGS="-fsanitize=undefined -fno-sanitize-recover=undefined -m32 -g -O2" LDFLAGS="-fsanitize=undefined -m32" CC=clang
This is not a sec issue but I am marking as such until the other 32-bit UBSan issues are resolved.
../jdarith.c:385:50: runtime error: left shift of negative value -1
#0 0x8273349 in decode_mcu_AC_first /home/user/code/libjpeg-turbo/build/../jdarith.c:385:50
#1 0x828703d in consume_data /home/user/code/libjpeg-turbo/build/../jdcoefct.c:232:13
#2 0x81736f4 in jpeg_start_decompress /home/user/code/libjpeg-turbo/build/../jdapistd.c:65:19
#3 0x8136788 in fuzz /home/user/code/libjpeg-turbo/build/../djpeg.c:179:10
#4 0x8137630 in main /home/user/code/libjpeg-turbo/build/../djpeg.c:218:3
#5 0xf7496636 in __libc_start_main /build/glibc-az1lHK/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x8061d57 in _start (/home/user/workspace/libjpeg/djpeg+0x8061d57)
Fix pushed https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a1dd35680d40758f234f214cef4c53cd1bc4b34e
|
||
Updated•8 years ago
|
|
Reporter | |
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Whiteboard: [adv-main50-]
|
||
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•