Skip to content

Found segmentation fault in Pillow #11

New issue
New issue
Closed
Closed
Found segmentation fault in Pillow#11
@glandium

Description

@glandium
glandium
opened on Sep 29, 2024

As I'm well past the fuzzing tests from #9, I'm filing separately, but it might be the same underlying problem.

This one happens during Tests/test_file_jpeg.py::TestFileJpeg::test_qtables:

#0  0x00007ffff7d7cfaf in unlink_chunk (p=p@entry=0x7fffe8011630, 
    av=0x7fffe8000030) at ./malloc/malloc.c:1622
#1  0x00007ffff7d7fdcd in _int_malloc (av=av@entry=0x7fffe8000030, 
    bytes=bytes@entry=512) at ./malloc/malloc.c:4303
#2  0x00007ffff7d816e2 in __libc_calloc (n=n@entry=1, 
    elem_size=<optimized out>) at ./malloc/malloc.c:3674
#3  0x00007ffff6ed2a73 in _setimage (decoder=0x4ac44180b40, 
    args=<optimized out>) at src/decode.c:204
#4  0x000055555564ff77 in method_vectorcall_VARARGS (func=0x4ac52040820, 
    args=0x7ffff74e0bd0, nargsf=<optimized out>, kwnames=0x0)
    at Objects/descrobject.c:324
#5  0x000055555563fbb3 in _PyObject_VectorcallTstate (kwnames=<optimized out>, 
    nargsf=<optimized out>, args=<optimized out>, callable=0x4ac52040820, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#6  PyObject_Vectorcall (callable=0x4ac52040820, args=<optimized out>, 
    nargsf=<optimized out>, kwnames=<optimized out>) at Objects/call.c:327
#7  0x00005555555d60d2 in _PyEval_EvalFrameDefault (tstate=0x7fffe8011630, 
    frame=0x10000040, throwflag=-402652448) at Python/generated_cases.c.h:813
#8  0x0000555555642e36 in _PyObject_VectorcallTstate (kwnames=0x4ac440241c0, 
    nargsf=3, args=0x4ac440a0690, callable=0x4ac40411ae0, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#9  method_vectorcall (method=<optimized out>, args=0x4ac440a0698, 
    nargsf=<optimized out>, kwnames=0x4ac440241c0) at Objects/classobject.c:62
#10 0x0000555555641285 in _PyVectorcall_Call (tstate=0x555555bc7280, 
    func=0x555555642cd0 <method_vectorcall>, callable=0x4ac44025900, 
    tuple=<optimized out>, kwargs=<optimized out>) at Objects/call.c:285
#11 0x00005555555d5903 in _PyEval_EvalFrameDefault (tstate=0x7fffe8011630, 
    frame=0x10000040, throwflag=-402652448) at Python/generated_cases.c.h:1355
#12 0x0000555555642e36 in _PyObject_VectorcallTstate (kwnames=0x4ac44025080, 
    nargsf=2, args=0x4ac44080d80, callable=0x4ac3fa53b60, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#13 method_vectorcall (method=<optimized out>, args=0x4ac44080d88, 
    nargsf=<optimized out>, kwnames=0x4ac44025080) at Objects/classobject.c:62
#14 0x0000555555641285 in _PyVectorcall_Call (tstate=0x555555bc7280, 
    func=0x555555642cd0 <method_vectorcall>, callable=0x4ac44025e80, 
    tuple=<optimized out>, kwargs=<optimized out>) at Objects/call.c:285
#15 0x00005555555d5903 in _PyEval_EvalFrameDefault (tstate=0x7fffe8011630, 
    frame=0x10000040, throwflag=-402652448) at Python/generated_cases.c.h:1355
#16 0x0000555555642e36 in _PyObject_VectorcallTstate (kwnames=0x4ac440300f0, 
    nargsf=1, args=0x4ac44090c80, callable=0x4ac3fa556e0, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#17 method_vectorcall (method=<optimized out>, args=0x4ac44090c88,

The fact the crash happens in system malloc suggests something really bad happening.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions