SIGFPE on specially crafted JPEG - d8f13910 #140
Description
Hi Mozilla Team,
Through some fuzzing with AFL I found that cjpeg from mozjpeg 2.1 would SIGFPE on this 40-byte JPEG.
Github wouldn't let me attach it (oops)
Source file: https://www.dropbox.com/s/rvrdv6s4h64aouw/d8f13910?dl=0
To reproduce:
cjpeg -quality 50 -outfile /dev/null d8f13910
gdb output::
**
** Process info for ../../.libs/lt-cjpeg - ./core-lt-cjpeg16899-1419862822
** Generated Mon Dec 29 08:20:33 CST 2014
**
** -rwxrwxr-x 1 jodicun jodicun 248316 Dec 28 16:17 ../../.libs/lt-cjpeg
** -rw------- 1 jodicun jodicun 421888 Dec 29 08:20 ./core-lt-cjpeg16899-1419862822
**
[New LWP 16899]
Core was generated by `/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg -quality 50 -outfile /dev/null ../'.
Program terminated with signal SIGFPE, Arithmetic exception.
#0 alloc_sarray (cinfo=0x7fffffffcd30, pool_id=1, samplesperrow=<optimized out>, numrows=1) at jmemmgr.c:435
435 ltemp = (MAX_ALLOC_CHUNK-SIZEOF(large_pool_hdr)) /
#0 alloc_sarray (cinfo=0x7fffffffcd30, pool_id=1, samplesperrow=<optimized out>, numrows=1) at jmemmgr.c:435
#1 0x0000000000415088 in start_input_tga (cinfo=0x7fffffffcd30, sinfo=0x61c8c0) at rdtarga.c:438
#2 0x0000000000401dd9 in main (argc=6, argv=0x7fffffffe098) at cjpeg.c:685
#3 0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
#4 0x0000000000402d9d in _start ()
exe = '/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg -quality 50 -outfile /dev/null ../'
*
* Libraries
*
From To Syms Read Shared Object Library
0x00007ffff7a71020 0x00007ffff7baeb90 Yes /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff76c64a0 0x00007ffff780c003 Yes /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff73a6610 0x00007ffff74151b6 Yes /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff7ddaae0 0x00007ffff7df54e0 Yes /lib64/ld-linux-x86-64.so.2
*
* Memory map
*
Symbols from "/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg".
Local core dump file:
`/home/jodicun/opt/mozjpeg-2.1/out20141228/cores/./core-lt-cjpeg16899-1419862822', file type elf64-x86-64.
0x0000000000400000 - 0x0000000000401000 is load1a
0x0000000000401000 - 0x0000000000401000 is load1b
0x0000000000619000 - 0x000000000061a000 is load2
0x000000000061a000 - 0x000000000061b000 is load3
0x000000000061b000 - 0x000000000063c000 is load4
0x00007ffff73a1000 - 0x00007ffff73a2000 is load5a
0x00007ffff73a2000 - 0x00007ffff73a2000 is load5b
0x00007ffff74a6000 - 0x00007ffff74a6000 is load6
0x00007ffff76a5000 - 0x00007ffff76a6000 is load7
0x00007ffff76a6000 - 0x00007ffff76a7000 is load8
0x00007ffff76a7000 - 0x00007ffff76a8000 is load9a
0x00007ffff76a8000 - 0x00007ffff76a8000 is load9b
0x00007ffff7862000 - 0x00007ffff7862000 is load10
0x00007ffff7a62000 - 0x00007ffff7a66000 is load11
0x00007ffff7a66000 - 0x00007ffff7a68000 is load12
0x00007ffff7a68000 - 0x00007ffff7a6d000 is load13
0x00007ffff7a6d000 - 0x00007ffff7a6e000 is load14a
0x00007ffff7a6e000 - 0x00007ffff7a6e000 is load14b
0x00007ffff7bd8000 - 0x00007ffff7bd8000 is load15
0x00007ffff7dd8000 - 0x00007ffff7dd9000 is load16
0x00007ffff7dd9000 - 0x00007ffff7dda000 is load17
0x00007ffff7dda000 - 0x00007ffff7ddb000 is load18a
0x00007ffff7ddb000 - 0x00007ffff7ddb000 is load18b
0x00007ffff7fe9000 - 0x00007ffff7fec000 is load19
0x00007ffff7ff7000 - 0x00007ffff7ffa000 is load20
0x00007ffff7ffa000 - 0x00007ffff7ffc000 is load21
0x00007ffff7ffc000 - 0x00007ffff7ffd000 is load22
0x00007ffff7ffd000 - 0x00007ffff7ffe000 is load23
0x00007ffff7ffe000 - 0x00007ffff7fff000 is load24
0x00007ffffffdd000 - 0x00007ffffffff000 is load25
0xffffffffff600000 - 0xffffffffff601000 is load26
Local exec file:
`/home/jodicun/opt/mozjpeg-2.1/.libs/lt-cjpeg', file type elf64-x86-64.
Entry point: 0x402d74
0x0000000000400238 - 0x0000000000400254 is .interp
0x0000000000400254 - 0x0000000000400274 is .note.ABI-tag
0x0000000000400274 - 0x0000000000400298 is .note.gnu.build-id
0x0000000000400298 - 0x00000000004002d4 is .gnu.hash
0x00000000004002d8 - 0x0000000000400890 is .dynsym
0x0000000000400890 - 0x0000000000400c7e is .dynstr
0x0000000000400c7e - 0x0000000000400cf8 is .gnu.version
0x0000000000400cf8 - 0x0000000000400d98 is .gnu.version_r
0x0000000000400d98 - 0x0000000000400df8 is .rela.dyn
0x0000000000400df8 - 0x00000000004012c0 is .rela.plt
0x00000000004012c0 - 0x00000000004012da is .init
0x00000000004012e0 - 0x0000000000401620 is .plt
0x0000000000401620 - 0x0000000000416b72 is .text
0x0000000000416b74 - 0x0000000000416b7d is .fini
0x0000000000416b80 - 0x0000000000418340 is .rodata
0x0000000000418340 - 0x00000000004184e4 is .eh_frame_hdr
0x00000000004184e8 - 0x0000000000418fec is .eh_frame
0x0000000000619df0 - 0x0000000000619df8 is .init_array
0x0000000000619df8 - 0x0000000000619e00 is .fini_array
0x0000000000619e00 - 0x0000000000619e08 is .jcr
0x0000000000619e08 - 0x0000000000619ff8 is .dynamic
0x0000000000619ff8 - 0x000000000061a000 is .got
0x000000000061a000 - 0x000000000061a1b0 is .got.plt
0x000000000061a1b0 - 0x000000000061a1d0 is .data
0x000000000061a1d0 - 0x000000000061a348 is .bss
0x00007ffff7a6d1c8 - 0x00007ffff7a6d1ec is .note.gnu.build-id in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a6d1f0 - 0x00007ffff7a6d608 is .gnu.hash in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a6d608 - 0x00007ffff7a6e508 is .dynsym in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a6e508 - 0x00007ffff7a6efc8 is .dynstr in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a6efc8 - 0x00007ffff7a6f108 is .gnu.version in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a6f108 - 0x00007ffff7a6f15c is .gnu.version_d in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a6f160 - 0x00007ffff7a6f1e0 is .gnu.version_r in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a6f1e0 - 0x00007ffff7a70230 is .rela.dyn in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a70230 - 0x00007ffff7a70a70 is .rela.plt in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a70a70 - 0x00007ffff7a70a8a is .init in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a70a90 - 0x00007ffff7a71020 is .plt in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7a71020 - 0x00007ffff7baeb90 is .text in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7baeb90 - 0x00007ffff7baeb99 is .fini in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7baeba0 - 0x00007ffff7bd1f90 is .rodata in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7bd1f90 - 0x00007ffff7bd2b0c is .eh_frame_hdr in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7bd2b10 - 0x00007ffff7bd7b54 is .eh_frame in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd8878 - 0x00007ffff7dd8880 is .init_array in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd8880 - 0x00007ffff7dd8888 is .fini_array in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd8888 - 0x00007ffff7dd8890 is .jcr in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd88a0 - 0x00007ffff7dd8ca0 is .data.rel.ro in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd8ca0 - 0x00007ffff7dd8ea0 is .dynamic in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd8ea0 - 0x00007ffff7dd9000 is .got in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd9000 - 0x00007ffff7dd92d8 is .got.plt in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd92d8 - 0x00007ffff7dd92e0 is .data in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff7dd92e0 - 0x00007ffff7dd9910 is .bss in /home/jodicun/opt/mozjpeg-2.1/.libs/libjpeg.so.62
0x00007ffff76a7270 - 0x00007ffff76a7294 is .note.gnu.build-id in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76a7294 - 0x00007ffff76a72b4 is .note.ABI-tag in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76a72b8 - 0x00007ffff76aad24 is .gnu.hash in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76aad28 - 0x00007ffff76b7d78 is .dynsym in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76b7d78 - 0x00007ffff76bd64e is .dynstr in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76bd64e - 0x00007ffff76be7aa is .gnu.version in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76be7b0 - 0x00007ffff76beadc is .gnu.version_d in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76beae0 - 0x00007ffff76beb10 is .gnu.version_r in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76beb10 - 0x00007ffff76c62b0 is .rela.dyn in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76c62b0 - 0x00007ffff76c63d0 is .rela.plt in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76c63d0 - 0x00007ffff76c64a0 is .plt in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff76c64a0 - 0x00007ffff780c003 is .text in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff780c010 - 0x00007ffff780da0d is __libc_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff780da10 - 0x00007ffff780dc92 is __libc_thread_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff780dca0 - 0x00007ffff782f9b0 is .rodata in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff782f9b0 - 0x00007ffff782f9cc is .interp in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff782f9cc - 0x00007ffff78360d0 is .eh_frame_hdr in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff78360d0 - 0x00007ffff785e424 is .eh_frame in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff785e424 - 0x00007ffff785e7ed is .gcc_except_table in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff785e7f0 - 0x00007ffff7861a94 is .hash in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a62740 - 0x00007ffff7a62750 is .tdata in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a62750 - 0x00007ffff7a627f0 is .tbss in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a62750 - 0x00007ffff7a62760 is .init_array in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a62760 - 0x00007ffff7a62850 is __libc_subfreeres in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a62850 - 0x00007ffff7a62858 is __libc_atexit in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a62858 - 0x00007ffff7a62878 is __libc_thread_subfreeres in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a62880 - 0x00007ffff7a65ba0 is .data.rel.ro in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a65ba0 - 0x00007ffff7a65d80 is .dynamic in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a65d80 - 0x00007ffff7a65ff8 is .got in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a66000 - 0x00007ffff7a66078 is .got.plt in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a66080 - 0x00007ffff7a678a0 is .data in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7a678a0 - 0x00007ffff7a6c2c0 is .bss in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff73a1238 - 0x00007ffff73a125c is .note.gnu.build-id in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a125c - 0x00007ffff73a127c is .note.ABI-tag in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a1280 - 0x00007ffff73a274c is .gnu.hash in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a2750 - 0x00007ffff73a4f10 is .dynsym in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a4f10 - 0x00007ffff73a5be4 is .dynstr in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a5be4 - 0x00007ffff73a5f34 is .gnu.version in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a5f38 - 0x00007ffff73a5fdc is .gnu.version_d in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a5fe0 - 0x00007ffff73a6010 is .gnu.version_r in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a6010 - 0x00007ffff73a6130 is .rela.dyn in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a6130 - 0x00007ffff73a6400 is .rela.plt in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a6400 - 0x00007ffff73a641a is .init in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a6420 - 0x00007ffff73a6610 is .plt in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff73a6610 - 0x00007ffff74151b6 is .text in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff74151b8 - 0x00007ffff74151c1 is .fini in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff74151e0 - 0x00007ffff749d064 is .rodata in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff749d070 - 0x00007ffff749d08c is .interp in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff749d08c - 0x00007ffff749e2f8 is .eh_frame_hdr in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff749e2f8 - 0x00007ffff74a409c is .eh_frame in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff74a40a0 - 0x00007ffff74a542c is .hash in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a5d90 - 0x00007ffff76a5d98 is .init_array in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a5d98 - 0x00007ffff76a5da0 is .fini_array in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a5da0 - 0x00007ffff76a5da8 is .jcr in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a5da8 - 0x00007ffff76a5fb8 is .dynamic in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a5fb8 - 0x00007ffff76a6000 is .got in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a6000 - 0x00007ffff76a6108 is .got.plt in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a6108 - 0x00007ffff76a611c is .data in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff76a6120 - 0x00007ffff76a6168 is .bss in /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff7dda1c8 - 0x00007ffff7dda1ec is .note.gnu.build-id in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda1f0 - 0x00007ffff7dda2ac is .hash in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda2b0 - 0x00007ffff7dda38c is .gnu.hash in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda390 - 0x00007ffff7dda630 is .dynsym in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda630 - 0x00007ffff7dda7c4 is .dynstr in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda7c4 - 0x00007ffff7dda7fc is .gnu.version in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda800 - 0x00007ffff7dda8a4 is .gnu.version_d in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda8a8 - 0x00007ffff7dda9e0 is .rela.dyn in /lib64/ld-linux-x86-64.so.2
0x00007ffff7dda9e0 - 0x00007ffff7ddaa70 is .rela.plt in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ddaa70 - 0x00007ffff7ddaae0 is .plt in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ddaae0 - 0x00007ffff7df54e0 is .text in /lib64/ld-linux-x86-64.so.2
0x00007ffff7df54e0 - 0x00007ffff7df97e0 is .rodata in /lib64/ld-linux-x86-64.so.2
0x00007ffff7df97e0 - 0x00007ffff7df9e1c is .eh_frame_hdr in /lib64/ld-linux-x86-64.so.2
0x00007ffff7df9e20 - 0x00007ffff7dfc178 is .eh_frame in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ffcc00 - 0x00007ffff7ffce6c is .data.rel.ro in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ffce70 - 0x00007ffff7ffcfe0 is .dynamic in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ffcfe0 - 0x00007ffff7ffcff8 is .got in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ffd000 - 0x00007ffff7ffd048 is .got.plt in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ffd060 - 0x00007ffff7ffdfe4 is .data in /lib64/ld-linux-x86-64.so.2
0x00007ffff7ffe000 - 0x00007ffff7ffe1c8 is .bss in /lib64/ld-linux-x86-64.so.2
*
* Registers
*
rax 0x3b9ac9e8 999999976
rbx 0x100 256
rcx 0x1 1
rdx 0x0 0
rsi 0x1 1
rdi 0x7fffffffcd30 140737488342320
rbp 0x0 0x0
rsp 0x7fffffffcbb8 0x7fffffffcbb8
r8 0x7fffffffcc80 140737488342144
r9 0x0 0
r10 0x7fffffffcc80 140737488342144
r11 0x100 256
r12 0x58 88
r13 0x0 0
r14 0x7fffffffcd30 140737488342320
r15 0x0 0
rip 0x7ffff7b8c043 0x7ffff7b8c043 <alloc_sarray+27>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
*
* Current instructions
*
=> 0x7ffff7b8c043 <alloc_sarray+27>: div %rbp
0x7ffff7b8c046 <alloc_sarray+30>: sub $0x28,%rsp
0x7ffff7b8c04a <alloc_sarray+34>: mov 0x8(%rdi),%rbx
0x7ffff7b8c04e <alloc_sarray+38>: mov %esi,0xc(%rsp)
0x7ffff7b8c052 <alloc_sarray+42>: mov %ecx,0x8(%rsp)
0x7ffff7b8c056 <alloc_sarray+46>: test %rax,%rax
0x7ffff7b8c059 <alloc_sarray+49>: je 0x7ffff7b8c9e0 <alloc_sarray+2488>
0x7ffff7b8c05f <alloc_sarray+55>: nop
0x7ffff7b8c060 <alloc_sarray+56>: lea -0x98(%rsp),%rsp
0x7ffff7b8c068 <alloc_sarray+64>: mov %rdx,(%rsp)
0x7ffff7b8c06c <alloc_sarray+68>: mov %rcx,0x8(%rsp)
0x7ffff7b8c071 <alloc_sarray+73>: mov %rax,0x10(%rsp)
0x7ffff7b8c076 <alloc_sarray+78>: mov $0x145f,%rcx
0x7ffff7b8c07d <alloc_sarray+85>: callq 0x7ffff7b8eed0 <__afl_maybe_log>
0x7ffff7b8c082 <alloc_sarray+90>: mov (%rsp),%rdx
0x7ffff7b8c086 <alloc_sarray+94>: mov 0x8(%rsp),%rcx
*
* Threads (full)
*
Id Target Id Frame
* 1 LWP 16899 alloc_sarray (cinfo=0x7fffffffcd30, pool_id=1, samplesperrow=<optimized out>, numrows=1) at jmemmgr.c:435
#0 alloc_sarray (cinfo=0x7fffffffcd30, pool_id=1, samplesperrow=<optimized out>, numrows=1) at jmemmgr.c:435
#1 0x0000000000415088 in start_input_tga (cinfo=0x7fffffffcd30, sinfo=0x61c8c0) at rdtarga.c:438
#2 0x0000000000401dd9 in main (argc=6, argv=0x7fffffffe098) at cjpeg.c:685
#3 0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
#4 0x0000000000402d9d in _start ()
Thread 1 (LWP 16899):
#0 alloc_sarray (cinfo=0x7fffffffcd30, pool_id=1, samplesperrow=<optimized out>, numrows=1) at jmemmgr.c:435
mem = <optimized out>
result = <optimized out>
workspace = <optimized out>
rowsperchunk = <optimized out>
currow = <optimized out>
i = <optimized out>
#1 0x0000000000415088 in start_input_tga (cinfo=0x7fffffffcd30, sinfo=0x61c8c0) at rdtarga.c:438
targaheader = "\000\001\002\000\000X\000\020\000\000\377\354\000\000\000\001\020 "
idlen = 0
cmaptype = <optimized out>
subtype = <optimized out>
flags = <optimized out>
interlace_type = <optimized out>
components = 3
width = 0
height = <optimized out>
is_bottom_up = <optimized out>
#2 0x0000000000401dd9 in main (argc=6, argv=0x7fffffffe098) at cjpeg.c:685
cinfo = {err = 0x7fffffffcc80, mem = 0x61b010, progress = 0x0, client_data = 0x0, is_decompressor = 0, global_state = 100, dest = 0x0, image_width = 0, image_height = 0, input_components = 0, in_color_space = JCS_RGB, input_gamma = 1, data_precision = 8, num_components = 3, jpeg_color_space = JCS_YCbCr, comp_info = 0x61b0e0, quant_tbl_ptrs = {0x61b4a0, 0x61b530, 0x0, 0x0}, dc_huff_tbl_ptrs = {0x61b5c0, 0x61b800, 0x0, 0x0}, ac_huff_tbl_ptrs = {0x61b6e0, 0x61b920, 0x0, 0x0}, arith_dc_L = '\000' <repeats 15 times>, arith_dc_U = '\001' <repeats 16 times>, arith_ac_K = '\005' <repeats 16 times>, num_scans = 64, scan_info = 0x61bb10, raw_data_in = 0, arith_code = 0, optimize_coding = 1, CCIR601_sampling = 0, smoothing_factor = 0, dct_method = JDCT_ISLOW, use_moz_defaults = 1, optimize_scans = 1, one_dc_scan = 1, trellis_quant = 1, trellis_eob_opt = 0, use_flat_quant_tbl = 0, use_lambda_weight_tbl = 1, use_scans_in_trellis = 0, trellis_passes = 0, trellis_q_opt = 0, norm_src = {{0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}}, norm_coef = {{0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}, {0 <repeats 64 times>}}, trellis_freq_split = 8, trellis_num_loops = 1, num_scans_luma = 23, num_scans_luma_dc = 1, num_scans_chroma_dc = 3, num_frequency_splits = 5, Al_max_luma = 3, Al_max_chroma = 2, lambda_log_scale1 = 16, lambda_log_scale2 = 15.5, restart_interval = 0, restart_in_rows = 0, write_JFIF_header = 1, JFIF_major_version = 1 '\001', JFIF_minor_version = 1 '\001', density_unit = 0 '\000', X_density = 1, Y_density = 1, write_Adobe_marker = 0, next_scanline = 0, progressive_mode = 0, max_h_samp_factor = 0, max_v_samp_factor = 0, total_iMCU_rows = 0, comps_in_scan = 0, cur_comp_info = {0x0, 0x0, 0x0, 0x0}, MCUs_per_row = 0, MCU_rows_in_scan = 0, blocks_in_MCU = 0, MCU_membership = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, Ss = 0, Se = 0, Ah = 0, Al = 0, master = 0x0, main = 0x0, prep = 0x0, coef = 0x0, marker = 0x0, cconvert = 0x0, downsample = 0x0, fdct = 0x0, entropy = 0x0, script_space = 0x61bb10, script_space_size = 64}
jerr = {error_exit = 0x7ffff7b6b3e0 <error_exit>, emit_message = 0x7ffff7b6ac00 <emit_message>, output_message = 0x7ffff7b6b2c0 <output_message>, format_message = 0x7ffff7b6ae40 <format_message>, reset_error_mgr = 0x7ffff7b6adf0 <reset_error_mgr>, msg_code = 1036, msg_parm = {i = {0, 256, 0, 0, 0, 0, 0, 0}, s = "\000\000\000\000\000\001", '\000' <repeats 73 times>}, trace_level = 0, num_warnings = 0, jpeg_message_table = 0x7ffff7dd88a0 <jpeg_std_message_table>, last_jpeg_message = 126, addon_message_table = 0x417d00 <cdjpeg_message_table>, first_addon_message = 1000, last_addon_message = 1044}
file_index = <optimized out>
input_file = 0x61c420
output_file = 0x61c660
outbuffer = 0x0
outsize = 0
num_scanlines = <optimized out>
#3 0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5334988661540655246, 4205940, 140737488347280, 0, 0, 5334988660462972786, 5335005021557485426}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x416b00 <__libc_csu_init>, 0x7fffffffe098}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4287232}}}
not_first_call = <optimized out>
#4 0x0000000000402d9d in _start ()
No symbol table info available.
*
* Threads (basic)
*
Id Target Id Frame
* 1 LWP 16899 alloc_sarray (cinfo=0x7fffffffcd30, pool_id=1, samplesperrow=<optimized out>, numrows=1) at jmemmgr.c:435
Thread 1 (LWP 16899):
#0 alloc_sarray (cinfo=0x7fffffffcd30, pool_id=1, samplesperrow=<optimized out>, numrows=1) at jmemmgr.c:435
#1 0x0000000000415088 in start_input_tga (cinfo=0x7fffffffcd30, sinfo=0x61c8c0) at rdtarga.c:438
#2 0x0000000000401dd9 in main (argc=6, argv=0x7fffffffe098) at cjpeg.c:685
#3 0x00007ffff76c8ec5 in __libc_start_main (main=0x401620 <main>, argc=6, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at libc-start.c:287
#4 0x0000000000402d9d in _start ()
*
* Done
*
System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Found with the fuzzer American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )