-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Prevent NULL-ptr dereference] check return value jpeg_read_coefficients #26
base: master
Are you sure you want to change the base?
Conversation
|
I don't think the check should be here. There should be an error output in do_quantsmooth(), because jpegqs can be a library that can be used in other applications. if (!coef_arrays) return 2; I need a sample to reproduce this. If this causes jpegqs to crash, then libjpeg's jpegtran utility will probably do the same. |
In libjpeg-turbo source code at libjpeg-turbo/jdtrans.c, a
Sure, I will update it.
Yes, this would be a better approach to handle it.
I dont have a sample at hand. Actually, as a part of our research project at Purdue University, we have built a tool that simulates various "faulty" conditions (for example simulating memory exhaustion, in which case
|
I was unable to reproduce this using a JPEG image truncated in every possible place. I believe that this NULL can only happen if the libjpeg functions are called with certain arguments that I don't use. I don't think that "memory exhaustion, in which case malloc would return NULL" is a big deal, C++ even forgot about it for decades. Only RTOS can return NULL these days. Other OSes are configured to NEVER allocate real memory, only virtual space. So malloc will never return NULL unless the address space is exhausted. In case you didn't know. So I find your work pretty useless, especially if you can't reproduce it with a real input. The theoretical dereference of a NULL pointer is not a serious problem. Why? Because the program will terminate with an exception. It can't be turned into an RCE. |
jpeg_read_coefficents
can returnNULL
in certain conditions. If we continue without checking the return value, this could lead to NULL-pointer dereference further down the execution.This fix checks the return value of call to
jpeg_read_coefficents
and exits in case it isNULL
.