19f9d8f0fd
When used with TJFLAG_NOREALLOC and with TJXOP_TRANSPOSE, TJXOP_TRANSVERSE, TJXOP_ROT90, or TJXOP_ROT270, tjTransform() incorrectly based the destination buffer size for a transform on the source image dimensions rather than the transformed image dimensions. This was apparently a long-standing bug that had existed in the tjTransform() function since its inception. As initially implemented in the evolving libjpeg-turbo v1.2 code base, tjTransform() required dstSizes[i] to be set regardless of whether TJFLAG_NOREALLOC was set.ff78e37595, which was introduced later in the evolving libjpeg-turbo v1.2 code base, removed that requirement and planted the seed for the bug. However, the bug was not activated until9b49f0e4c7was introduced still later in the evolving libjpeg-turbo v1.2 code base, adding a subsampling type argument to the (new at the time) tjBufSize() function and thus making the width and height arguments no longer commutative. The bug opened up the possibility that a JPEG source image could cause tjTransform() to overflow the destination buffer for a transform if all of the following were true: - The JPEG source image used 4:2:2, 4:4:0, or 4:1:1 subsampling. (These are the only supported subsampling types for which the width and height arguments to tjBufSize() are not commutative.) - The width and height of the JPEG source image were such that tjBufSize(height, width, subsamplingType) returned a smaller value than tjBufSize(width, height, subsamplingType). - The JPEG source image contained enough metadata that the size of the transformed image was larger than tjBufSize(height, width, subsamplingType). - TJFLAG_NOREALLOC was set. - TJXOP_TRANSPOSE, TJXOP_TRANSVERSE, TJXOP_ROT90, or TJXOP_ROT270 was used. - TJXOPT_COPYNONE was not set. - TJXOPT_CROP was not set. - The calling program allocated tjBufSize(height, width, subsamplingType) bytes for the destination buffer, as the API documentation instructs. The API documentation cautions that JPEG source images containing a large amount of extraneous metadata (EXIF, IPTC, ICC, etc.) cannot reliably be transformed if TJFLAG_NOREALLOC is set and TJXOPT_COPYNONE is not set. Irrespective of the bug, there are still cases in which a JPEG source image with a large amount of metadata can, when transformed, exceed the worst-case transformed JPEG image size. For instance, if you try to losslessly crop a JPEG image with 3 kB of EXIF data to 16x16 pixels, then you are guaranteed to exceed the worst-case 16x16 JPEG image size unless you discard the EXIF data. Even without the bug, tjTransform() will still fail with "Buffer passed to JPEG library is too small" when attempting to transform JPEG source images that meet the aforementioned criteria. The bug is that the function segfaults rather than failing gracefully, but the chances of that occurring in a real-world application are very slim. Any real-world application developers who attempted to transform arbitrary JPEG source images with TJFLAG_NOREALLOC set would very quickly realize that they cannot reliably do that without also setting TJXOPT_COPYNONE. Thus, I posit that the actual risk posed by this bug is low. Applications such as web browsers that are the most exposed to security risks from arbitrary JPEG source images do not use the TurboJPEG lossless transform feature. (None of those applications even use the TurboJPEG API, to the best of my knowledge, and the public libjpeg API has no equivalent transform function.) Our only command-line interface to the tjTransform() function, TJBench, was not exposed to the bug because it had a compatible bug whereby it allocated the JPEG destination buffer to the same size that tjTransform() erroneously expected. The TurboJPEG Java API was also not exposed to the bug because of a similar compatible bug in the Java_org_libjpegturbo_turbojpeg_TJTransformer_transform() JNI function. (This commit fixes both compatible bugs.) In short, best practices for tjTransform() are to use TJFLAG_NOREALLOC only with JPEG source images that are known to be free of metadata (such as images generated by tjCompress*()) or to use TJXOPT_COPYNONE along with TJFLAG_NOREALLOC. Still, however, the function shouldn't segfault as long as the calling program allocates the suggested amount of space for the JPEG destination buffer. Usability notes: tjTransform() could hypothetically require dstSizes[i] to be set regardless of whether TJFLAG_NOREALLOC is set, but there are usability pitfalls either way. The main pitfall I sought to avoid withff78e37595was a calling program failing to set dstSizes[i] at all, thus leaving its value undefined. It could be argued that requiring dstSizes[i] to be set in all cases is more consistent, but it could also be argued that not requiring it to be set when TJFLAG_NOREALLOC is set is more user-proof. tjTransform() could also hypothetically set TJXOPT_COPYNONE automatically when TJFLAG_NOREALLOC is set, but that could lead to user confusion.
160 lines
5.3 KiB
C++
160 lines
5.3 KiB
C++
/*
|
|
* Copyright (C)2021, 2023 D. R. Commander. All Rights Reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* - Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
* - Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
* - Neither the name of the libjpeg-turbo Project nor the names of its
|
|
* contributors may be used to endorse or promote products derived from this
|
|
* software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <turbojpeg.h>
|
|
#include <stdlib.h>
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
|
{
|
|
tjhandle handle = NULL;
|
|
unsigned char *dstBufs[1] = { NULL };
|
|
unsigned long dstSizes[1] = { 0 }, maxBufSize;
|
|
int width = 0, height = 0, jpegSubsamp, jpegColorspace, i;
|
|
tjtransform transforms[1];
|
|
#if defined(__has_feature) && __has_feature(memory_sanitizer)
|
|
char env[18] = "JSIMD_FORCENONE=1";
|
|
|
|
/* The libjpeg-turbo SIMD extensions produce false positives with
|
|
MemorySanitizer. */
|
|
putenv(env);
|
|
#endif
|
|
|
|
if ((handle = tjInitTransform()) == NULL)
|
|
goto bailout;
|
|
|
|
/* We ignore the return value of tjDecompressHeader3(), because some JPEG
|
|
images may have unusual subsampling configurations that the TurboJPEG API
|
|
cannot identify but can still transform. */
|
|
tjDecompressHeader3(handle, data, size, &width, &height, &jpegSubsamp,
|
|
&jpegColorspace);
|
|
|
|
/* Ignore 0-pixel images and images larger than 1 Megapixel. Casting width
|
|
to (uint64_t) prevents integer overflow if width * height > INT_MAX. */
|
|
if (width < 1 || height < 1 || (uint64_t)width * height > 1048576)
|
|
goto bailout;
|
|
|
|
if (jpegSubsamp < 0 || jpegSubsamp >= TJ_NUMSAMP)
|
|
jpegSubsamp = TJSAMP_444;
|
|
|
|
memset(&transforms[0], 0, sizeof(tjtransform));
|
|
|
|
transforms[0].op = TJXOP_NONE;
|
|
transforms[0].options = TJXOPT_PROGRESSIVE | TJXOPT_COPYNONE;
|
|
dstBufs[0] = (unsigned char *)malloc(tjBufSize(width, height, jpegSubsamp));
|
|
if (!dstBufs[0])
|
|
goto bailout;
|
|
|
|
maxBufSize = tjBufSize(width, height, jpegSubsamp);
|
|
|
|
if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
|
|
TJFLAG_LIMITSCANS | TJFLAG_NOREALLOC) == 0) {
|
|
/* Touch all of the output pixels in order to catch uninitialized reads
|
|
when using MemorySanitizer. */
|
|
int sum = 0;
|
|
|
|
for (i = 0; i < dstSizes[0]; i++)
|
|
sum += dstBufs[0][i];
|
|
|
|
/* Prevent the code above from being optimized out. This test should
|
|
never be true, but the compiler doesn't know that. */
|
|
if (sum > 255 * maxBufSize)
|
|
goto bailout;
|
|
}
|
|
|
|
free(dstBufs[0]);
|
|
dstBufs[0] = NULL;
|
|
|
|
transforms[0].r.w = (height + 1) / 2;
|
|
transforms[0].r.h = (width + 1) / 2;
|
|
transforms[0].op = TJXOP_TRANSPOSE;
|
|
transforms[0].options = TJXOPT_GRAY | TJXOPT_CROP | TJXOPT_COPYNONE;
|
|
dstBufs[0] =
|
|
(unsigned char *)malloc(tjBufSize((height + 1) / 2, (width + 1) / 2,
|
|
TJSAMP_GRAY));
|
|
if (!dstBufs[0])
|
|
goto bailout;
|
|
|
|
maxBufSize = tjBufSize((height + 1) / 2, (width + 1) / 2, TJSAMP_GRAY);
|
|
|
|
if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
|
|
TJFLAG_LIMITSCANS | TJFLAG_NOREALLOC) == 0) {
|
|
int sum = 0;
|
|
|
|
for (i = 0; i < dstSizes[0]; i++)
|
|
sum += dstBufs[0][i];
|
|
|
|
if (sum > 255 * maxBufSize)
|
|
goto bailout;
|
|
}
|
|
|
|
free(dstBufs[0]);
|
|
dstBufs[0] = NULL;
|
|
|
|
transforms[0].op = TJXOP_ROT90;
|
|
transforms[0].options = TJXOPT_TRIM;
|
|
dstBufs[0] = (unsigned char *)malloc(tjBufSize(height, width, jpegSubsamp));
|
|
if (!dstBufs[0])
|
|
goto bailout;
|
|
|
|
maxBufSize = tjBufSize(height, width, jpegSubsamp);
|
|
|
|
if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
|
|
TJFLAG_LIMITSCANS | TJFLAG_NOREALLOC) == 0) {
|
|
int sum = 0;
|
|
|
|
for (i = 0; i < dstSizes[0]; i++)
|
|
sum += dstBufs[0][i];
|
|
|
|
if (sum > 255 * maxBufSize)
|
|
goto bailout;
|
|
}
|
|
|
|
free(dstBufs[0]);
|
|
dstBufs[0] = NULL;
|
|
dstSizes[0] = 0;
|
|
|
|
if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
|
|
TJFLAG_LIMITSCANS) == 0) {
|
|
int sum = 0;
|
|
|
|
for (i = 0; i < dstSizes[0]; i++)
|
|
sum += dstBufs[0][i];
|
|
|
|
if (sum > 255 * maxBufSize)
|
|
goto bailout;
|
|
}
|
|
|
|
bailout:
|
|
free(dstBufs[0]);
|
|
if (handle) tjDestroy(handle);
|
|
return 0;
|
|
}
|