pixiv/go-libjpeg

"SIGSEGV: segmentation violation" in parallel processing of corrupted image

bayandin opened this issue · 0 comments

One more crash found by go-fuzz.

Run the following program on the following input:

// +build ignore

package main

import (
	"bytes"
	"fmt"
	"io/ioutil"
	"os"

	"github.com/pixiv/go-libjpeg/jpeg"
)

func processImage(data []byte, times int) {
	for i := 0; i < times; i++ {
		jpeg.DecodeConfig(bytes.NewReader(data))
	}
	fmt.Println("Done")
}

func main() {
	data, err := ioutil.ReadFile(os.Args[1])
	if err != nil {
		fmt.Printf("Error: %v\n", err)
		return
	}

	for i := 0; i < 16; i++ {
		go processImage(data, 100)
	}

	fmt.Scanln()
}

a9db04212c08d15adf35b50454df05adbc1f18d9 (it shows as corrupted image as expected)

it crashes like this:

...
Corrupt JPEG data: 9455 extraneous bytes before marker 0xe9
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0xafffffe pc=0x4208527]

runtime stack:
runtime.throw(0x40ee7ab, 0x2a)
	/usr/local/Cellar/go/1.12.9/libexec/src/runtime/panic.go:617 +0x72
runtime.sigpanic()
	/usr/local/Cellar/go/1.12.9/libexec/src/runtime/signal_unix.go:374 +0x4a9

goroutine 25 [syscall]:
runtime.cgocall(0x40ab780, 0xc0001f4eb8, 0xc000086d80)
	/usr/local/Cellar/go/1.12.9/libexec/src/runtime/cgocall.go:128 +0x5b fp=0xc0001f4e88 sp=0xc0001f4e50 pc=0x40050cb
github.com/pixiv/go-libjpeg/jpeg._Cfunc_read_header(0xaa000d0, 0x1, 0x0)
	_cgo_gotypes.go:904 +0x4d fp=0xc0001f4eb8 sp=0xc0001f4e88 pc=0x40a80ed
github.com/pixiv/go-libjpeg/jpeg.readHeader.func1(0xaa000d0, 0xc000000008)
	/Users/bayandin/go/src/github.com/pixiv/go-libjpeg/jpeg/decompress.go:187 +0x5e fp=0xc0001f4ef0 sp=0xc0001f4eb8 pc=0x40a96ee
github.com/pixiv/go-libjpeg/jpeg.readHeader(0xaa000d0, 0x40efab8, 0xc0001f4f88)
	/Users/bayandin/go/src/github.com/pixiv/go-libjpeg/jpeg/decompress.go:187 +0x2f fp=0xc0001f4f28 sp=0xc0001f4ef0 pc=0x40a877f
github.com/pixiv/go-libjpeg/jpeg.DecodeConfig(0x4104ce0, 0xc00013cd80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
	/Users/bayandin/go/src/github.com/pixiv/go-libjpeg/jpeg/decompress.go:487 +0xb6 fp=0xc0001f4f58 sp=0xc0001f4f28 pc=0x40a88d6
main.processImage(0xc0000be000, 0x53f5b, 0x5415b, 0x64)
	/Users/bayandin/go/src/github.com/pixiv/go-libjpeg/test.go:16 +0x4a fp=0xc0001f4fc0 sp=0xc0001f4f58 pc=0x40aaa7a
runtime.goexit()
	/usr/local/Cellar/go/1.12.9/libexec/src/runtime/asm_amd64.s:1337 +0x1 fp=0xc0001f4fc8 sp=0xc0001f4fc0 pc=0x40546a1
created by main.main
	/Users/bayandin/go/src/github.com/pixiv/go-libjpeg/test.go:29 +0xc4
...

here is the full output (if needed): full-output.log

go version go1.12.9 linux/amd64
libjpeg-turbo 2.0.2
repo is on commit 3da21a74767d9ffe29fcad7484ddd745f99e9f4c