Bug 438631 - [PATCH] Segfault on broken jpeg header
[PATCH] Segfault on broken jpeg header
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: foremost (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Toshio Ernie Kuratomi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-23 11:47 EDT by Milan Broz
Modified: 2013-02-28 23:06 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-24 14:43:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (374 bytes, patch)
2008-03-23 11:47 EDT, Milan Broz
no flags Details | Diff

  None (edit)
Description Milan Broz 2008-03-23 11:47:23 EDT
Description of problem:
foremost segfaults with broken jpeg file header

Version-Release number of selected component (if applicable):
foremost-1.5.3-1.fc9

gdb backtrace of version 1.5.3 to show the problem:

Program received signal SIGSEGV, Segmentation fault.
0x08053259 in extract_jpeg (s=0x80be008, c_offset=104757349, foundat=0xb7f87848
<Address 0xb7f87848 out of bounds>, buflen=100251, needle=0x8058240,
    f_offset=9961472000) at extract.c:1768
1768                    if (foundat[2] != (unsigned char)'\xff')
(gdb) p *foundat
Cannot access memory at address 0xb7f87848
(gdb) bt
#0  0x08053259 in extract_jpeg (s=0x80be008, c_offset=104757349,
foundat=0xb7f87848 <Address 0xb7f87848 out of bounds>, buflen=100251,
needle=0x8058240,
    f_offset=9961472000) at extract.c:1768
#1  0x080546d7 in extract_file (s=0x80be008, c_offset=104757349,
    foundat=0xb7f6786d
"????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????"...,
buflen=100251, needle=0x8058240, f_offset=9961472000) at extract.c:2338
#2  0x0804e03e in search_chunk (s=0x80be008, buf=0xb1b80008 "\006", i=0x80becd0,
chunk_size=104857600, f_offset=9961472000) at engine.c:462
#3  0x0804e41c in search_stream (s=0x80be008, i=0x80becd0) at engine.c:582
#4  0x0804e72a in process_file (s=0x80be008) at engine.c:675
#5  0x080496ce in main (argc=6, argv=0xbf8fdc18) at main.c:314

See attached patch for fix. (I will send it upstream too.)
Comment 1 Milan Broz 2008-03-23 11:47:23 EDT
Created attachment 298864 [details]
Proposed patch
Comment 2 Jon Stanley 2008-03-23 17:37:37 EDT
nothing to triage - crash with complete backtrace and patch
Comment 3 Toshio Kuratomi 2008-03-24 14:43:00 EDT
Thanks Milan, patch applied to rawhide.

Thanks for sending this upstream!

Note You need to log in before you can comment on or make changes to this bug.