Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 622 by jongr...@
gmail.com: BuildHuffmanTable check bounds of offset[] and sorted[] array
https://bugs.chromium.org/p/webp/issues/detail?id=622This is a suggestion, the code doesn't cover with 100% certainty that two arrays are not overrun.
I added a check at compiler time to check gcc could satisfy itself the index used to access offset[] and sorted[] array were never overrun, but the compiler couldn't. It's easy enough to add the check, so that is what I am proposing. Most 0-day exploits aren't known, it's safer just to defend against them than wait for them to occur.
The code is roughly from line 150 in webp_test/src/utils.c
1. I will attach a file which can be compared against latest git source to show the changes.
2. The change I added checks at *compile* time that the array is not overrun, in this situation the compiler can't figure out if the index will ever overrun.
3. In this case, a check on the index should be added, I put the example in
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
Latest git. Ubuntu GCC.
The output below includes my local changes. These are just my suggestions, to make the code bullet proof, 100% secure, the compiler is then 100% certain the index never overruns.
$ make -f makefile.unix
gcc -I. -Isrc/ -Wall -O3 -DNDEBUG -DWEBP_HAVE_PNG -DWEBP_HAVE_JPEG -DWEBP_HAVE_TIFF -I/usr/local/include -DWEBP_USE_THREAD -fvisibility=hidden -Wextra -Wold-style-definition -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wformat-security -Wformat-nonliteral -c src/utils/huffman_utils.c -o src/utils/huffman_utils.o
src/utils/huffman_utils.c: In function ‘BuildHuffmanTable’:
src/utils/huffman_utils.c:80:66: error: call to ‘_stop_compile’ declared with attribute error: build stopped
80 | #define compile_assert(condition, description) {if(!condition) { _stop_compile();}}
| ^~~~~~~~~~~~~~~
src/utils/huffman_utils.c:151:9: note: in expansion of macro ‘compile_assert’
151 | compile_assert((symbol_code_length<MAX_ALLOWED_CODE_LENGTH + 1), "index must be within the capacity of the offset array");
| ^~~~~~~~~~~~~~
src/utils/huffman_utils.c:80:66: error: call to ‘_stop_compile’ declared with attribute error: build stopped
80 | #define compile_assert(condition, description) {if(!condition) { _stop_compile();}}
| ^~~~~~~~~~~~~~~
src/utils/huffman_utils.c:146:9: note: in expansion of macro ‘compile_assert’
146 | compile_assert(((offset[symbol_code_length]+1)<MAX_ALLOWED_CODE_LENGTH + 1), "offset index must be within the capacity of the sorted array");
| ^~~~~~~~~~~~~~
make: *** [makefile.unix:397: src/utils/huffman_utils.o] Error 1
Wanted to run the fuzzer, it gave an error, happy to do so if someone can tell me how to.
$ make -C fuzzer -f makefile.unix
make: Entering directory '/home/jonny/code/webp/webp_test/tests/fuzzer'
clang -fsanitize=fuzzer -I../../src -I../.. -Wall -Wextra -c -o advanced_api_fuzzer.o advanced_api_fuzzer.c
make: *** No rule to make target '../../src/mux/libwebpmux.a', needed by 'advanced_api_fuzzer'. Stop.
Attachments:
huffman_utils.c 11.6 KB
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings