Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Nov 2014 19:30:09 -0800
From: Michal Zalewski <>
To: oss-security <>
Subject: Re: Stack smashing in libjpeg-turbo

A-ha, I was able to repro with ImageMagick + libjpeg-turbo 1.2.1.

Versions of libjpeg-turbo prior to 1.3.1 accept the file, while 1.3.1
rejects it outright due to duplicate SOI markers. This is probably
attributable to this change:

[4] Fixed a couple of issues whereby malformed JPEG images would cause
libjpeg-turbo to use uninitialized memory during decompression.

...which I think is related to CVE-2013-6629 and CVE-2013-6630. But I
haven't spent much time on it, so I'm not sure if that actually fixed
the underlying issue, or just made the file invalid for some unrelated

The fault is in:

#6  0x0066e504 in __stack_chk_fail_local () from /usr/lib/
#7  0x0063f9c7 in encode_mcu_huff (cinfo=0xbfffbbf0,
MCU_data=0xb49043f8) at jchuff.c:642 <- boop
#8  0x0063323f in compress_output (cinfo=0xbfffbbf0, input_buf=0x0) at
#9  0x00632b37 in jpeg_finish_compress (cinfo=0xbfffbbf0) at jcapimin.c:183
#10 0x08319773 in WriteJPEGImage ()
#11 0x0839c8aa in WriteImage ()
#12 0x0839d5f3 in WriteImages ()

FWIW, Debian bug is here:

Which points to:

The test case is at:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ