Headline

CVE-2019-16350: NULL Pointer Dereference in idct2d8x8() at dct.c:201 · Issue #10 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.

5 years ago

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

Comments

Test Environment

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

How to trigger

compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
$ ./ffjpeg -d $POC

POC file

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc20-idct2d8x8-SEGV

Details****Asan report

ASAN:SIGSEGV
=================================================================
==21545== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000040db78 sp 0x7ffd4681f2e0 bp 0x7ffd4681f340 T0)
AddressSanitizer can not provide additional info.
    #0 0x40db77 in idct2d8x8 /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
    #1 0x40605b in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
    #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    #3 0x7f8448218f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201 idct2d8x8
==21545== ABORTING

GDB report

Program received signal SIGSEGV, Segmentation fault.
0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
201             data[ctr] *= ftab[ctr];
(gdb) bt
#0  0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
#1  0x0000000000403435 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe1a0)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
#2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe2a8)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae
and I think it has been fixed

2 participants