Headline

CVE-2019-16351: SEGV in huffman_decode_step() at huffman.c:371 · Issue #11 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.

5 years ago

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

Comments

Test Environment

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

How to trigger

compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
$ ./ffjpeg -d $POC

POC file

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc21-huffman_decode_step-SEGV

Details****Asan report

ASAN:SIGSEGV
=================================================================
==19241== ERROR: AddressSanitizer: SEGV on unknown address 0x000000001590 (pc 0x000000410e8b sp 0x7fff54e12780 bp 0x7fff54e127a0 T0)
AddressSanitizer can not provide additional info.
    #0 0x410e8a in huffman_decode_step /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
    #1 0x405f04 in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
    #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    #3 0x7f8d44273f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371 huffman_decode_step
==19241== ABORTING

GDB report

Program received signal SIGSEGV, Segmentation fault.
0x000000000040775f in huffman_decode_step (phc=0x0)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
371         if (!phc->input) return EOF;
(gdb) bt
#0  0x000000000040775f in huffman_decode_step (phc=0x0)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
#1  0x0000000000403357 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe190)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
#2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe298)
    at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25

rockcarry added a commit that referenced this issue

Aug 19, 2019

This was referenced

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae
and I think it has been fixed

2 participants