Skip to content

Added sanity check for every jpeg marker #2084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 14, 2022
Merged

Added sanity check for every jpeg marker #2084

merged 2 commits into from
Apr 14, 2022

Conversation

br3aker
Copy link
Contributor

@br3aker br3aker commented Apr 13, 2022
edited
Loading

Prerequisites

  • I have written a descriptive pull-request title
  • I have verified that there are no overlapping pull-requests open
  • I have verified that I am following the existing coding patterns and practice as demonstrated in the repository. These follow strict Stylecop rules 👮.
  • I have provided test coverage for my change (where applicable)

Description

Discussed at #2077. Now before even trying to parse any jpeg marker decoder would check whether input stream has enough bytes available thus there's no need to check any stream.Read(...) call for return value.

Closes #2085.

@br3aker br3aker mentioned this pull request Apr 13, 2022
Merged
4 tasks
br3aker
br3aker commented Apr 13, 2022
View reviewed changes
src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
// to uint to avoid sign extension
if (stream.RemainingBytes < (uint)markerContentByteSize)
{
JpegThrowHelper.ThrowNotEnoughBytesForMarker(fileMarker.Marker);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this error message would contain hex value of the marker. While we can map byte to ITU spec name I don't think it's worth the effort.

antonfirsov
antonfirsov approved these changes Apr 13, 2022
View reviewed changes
Copy link
Member

@antonfirsov antonfirsov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good. Does it make sense to construct at least one faulty image with a hex editor for regression testing? (Ideally I would overflow the last - non SOS - marker in the file.)

@br3aker
Copy link
Contributor Author

br3aker commented Apr 13, 2022
edited
Loading

Changes look good. Does it make sense to construct at least one faulty image with a hex editor for regression testing? (Ideally I would overflow the last - non SOS - marker in the file.)

Sounds reasonable, will create one today.

@br3aker br3aker mentioned this pull request Apr 13, 2022
Closed
4 tasks
@br3aker
Copy link
Contributor Author

br3aker commented Apr 13, 2022
edited
Loading

@antonfirsov wow, latest release version can actually fall into really dangerous code regions for malformed jpegs.

ver2.1 stacktrace for image from linked issue:

Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.
   at SixLabors.ImageSharp.Formats.Jpeg.Components.Decoder.JpegComponentPostProcessor.CopyBlocksToColorBuffer(Int32 spectralStep) in D:\Programming\C#\ImageSharp\src\ImageSharp\Formats\Jpeg\Components\Decoder\JpegComponentPostProcessor.cs:line 88

New stacktrace:

Unhandled exception. SixLabors.ImageSharp.InvalidImageContentException: Input stream does not have enough bytes to parse declared contents of the C4 marker.
   at SixLabors.ImageSharp.Formats.Jpeg.JpegThrowHelper.ThrowNotEnoughBytesForMarker(Byte marker) in D:\Programming\C#\ImageSharp\src\ImageSharp\Formats\Jpeg\JpegThrowHelper.cs:line 29
   at SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.ParseStream(BufferedReadStream stream, HuffmanScanDecoder scanDecoder, CancellationToken cancellationToken) in D:\Programming\C#\ImageSharp\src\ImageSharp\Formats\Jpeg\JpegDecoderCore.cs:line 323

@antonfirsov
Copy link
Member

Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.

Not that terrible, could be access violation 😆
Anyways, nice to have this under control, thanks!

@antonfirsov antonfirsov merged commit 5d0c684 into SixLabors:main Apr 14, 2022
@br3aker br3aker deleted the dp/jpeg-marker-validation branch April 15, 2022 05:20
@JimBobSquarePants JimBobSquarePants added this to the 2.1.1 milestone Apr 15, 2022
This was referenced Apr 21, 2022
Closed
Closed
@renovate renovate bot mentioned this pull request Apr 28, 2022
Merged
1 task
This was referenced Jul 23, 2025
Closed
Merged
Merged
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jul 30, 2025
Open
Open
Open
Closed
Open
Open
Open
Open
Open
Open
This was referenced Sep 23, 2025
Open
Open
This was referenced Oct 3, 2025
Open
Merged
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antonfirsov antonfirsov antonfirsov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.1.1

Development

Successfully merging this pull request may close these issues.

Jpeg decoder fails with NullReferenceException from malformed image

3 participants

@br3aker @antonfirsov @JimBobSquarePants