438631 – [PATCH] Segfault on broken jpeg header

Bug 438631 - [PATCH] Segfault on broken jpeg header

Summary: [PATCH] Segfault on broken jpeg header

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	foremost
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Toshio Ernie Kuratomi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-23 15:47 UTC by Milan Broz
Modified:	2013-03-01 04:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-03-24 18:43:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Proposed patch (374 bytes, patch) 2008-03-23 15:47 UTC, Milan Broz	no flags	Details \| Diff
View All

Description Milan Broz 2008-03-23 15:47:23 UTC

Description of problem:
foremost segfaults with broken jpeg file header

Version-Release number of selected component (if applicable):
foremost-1.5.3-1.fc9

gdb backtrace of version 1.5.3 to show the problem:

Program received signal SIGSEGV, Segmentation fault.
0x08053259 in extract_jpeg (s=0x80be008, c_offset=104757349, foundat=0xb7f87848
<Address 0xb7f87848 out of bounds>, buflen=100251, needle=0x8058240,
    f_offset=9961472000) at extract.c:1768
1768                    if (foundat[2] != (unsigned char)'\xff')
(gdb) p *foundat
Cannot access memory at address 0xb7f87848
(gdb) bt
#0  0x08053259 in extract_jpeg (s=0x80be008, c_offset=104757349,
foundat=0xb7f87848 <Address 0xb7f87848 out of bounds>, buflen=100251,
needle=0x8058240,
    f_offset=9961472000) at extract.c:1768
#1  0x080546d7 in extract_file (s=0x80be008, c_offset=104757349,
    foundat=0xb7f6786d
"????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????"...,
buflen=100251, needle=0x8058240, f_offset=9961472000) at extract.c:2338
#2  0x0804e03e in search_chunk (s=0x80be008, buf=0xb1b80008 "\006", i=0x80becd0,
chunk_size=104857600, f_offset=9961472000) at engine.c:462
#3  0x0804e41c in search_stream (s=0x80be008, i=0x80becd0) at engine.c:582
#4  0x0804e72a in process_file (s=0x80be008) at engine.c:675
#5  0x080496ce in main (argc=6, argv=0xbf8fdc18) at main.c:314

See attached patch for fix. (I will send it upstream too.)

Comment 1 Milan Broz 2008-03-23 15:47:23 UTC

Created attachment 298864 [details]
Proposed patch

Comment 2 Jon Stanley 2008-03-23 21:37:37 UTC

nothing to triage - crash with complete backtrace and patch

Comment 3 Toshio Kuratomi 2008-03-24 18:43:00 UTC

Thanks Milan, patch applied to rawhide.

Thanks for sending this upstream!

Note You need to log in before you can comment on or make changes to this bug.