Program received signal SIGILL, Illegal instruction. at jfif_load in jfif.c:170,171

[ambrosecm]

Desctiption

When I used the jfif_load function to handle a specific input, Program received signal SIGILL, Illegal instruction. at jfif_load in jfif.c:170,171

ffjpeg/src/jfif.c

Lines 137 to 173 in caade60

	void* jfif_load(char *file)
	{
	JFIF *jfif = NULL;
	FILE *fp = NULL;
	int header = 0;
	int type = 0;
	int size = 0;
	BYTE *buf = NULL;
	BYTE *end = NULL;
	BYTE *dqt, *dht;
	int ret =-1;
	long offset = 0;
	int i;
	jfif = calloc(1, sizeof(JFIF));
	buf = calloc(1, 0x10000);
	end = buf + 0x10000;
	if (!jfif || !buf) goto done;
	fp = fopen(file, "rb");
	if (!fp) goto done;
	while (1) {
	do { header = fgetc(fp); } while (header != EOF && header != 0xff); // get header
	do { type = fgetc(fp); } while (type != EOF && type == 0xff); // get type
	if (header == EOF || type == EOF) {
	printf("file eof !\n");
	break;
	}
	if ((type == 0xd8) || (type == 0xd9) || (type == 0x01) || (type >= 0xd0 && type <= 0xd7)) {
	size = 0;
	} else {
	size = fgetc(fp) << 8;
	size |= fgetc(fp) << 0;
	size -= 2;
	}

The main reason is that there is no check on the parameters passed by the jfif_load function, and the fp is incorrectly assigned, leading to the Illegal instruction.

Test Environment

Ubuntu 22.04.1, 64bit
ffjpeg(master caade60)
program source file

How to trigger

Download the poc1 file, poc2 file , program and run the following cmd:

 $ ./jfif_free ./poc1
 $ ./jfif_free ./poc2

Detail

GDB report

(gdb) r
Starting program: /home/ambrose/vsproject/HIMFuzz/harness/output/ffjpeg_deepseek24/crashes/jfif.c/jfif_load/jfif_free/jfif_free output/default/crashes/id:000019,sig:04,src:000189,time:1450278,execs:472767,op:havoc,rep:4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
0x0000555555669084 in jfif_load (file=0x7fffffffdeab "output/default/crashes/id:000019,sig:04,src:000189,time:1450278,execs:472767,op:havoc,rep:4") at /home/ambrose/vsproject/TestLib/ffjpeg/src/jfif.c:170
170                 size  = fgetc(fp) << 8;
(gdb) bt
#0  0x0000555555669084 in jfif_load (
    file=0x7fffffffdeab "output/default/crashes/id:000019,sig:04,src:000189,time:1450278,execs:472767,op:havoc,rep:4")
    at /home/ambrose/vsproject/TestLib/ffjpeg/src/jfif.c:170
#1  0x0000555555695e4b in main (argc=2, argv=0x7fffffffdae8)
    at output/ffjpeg_deepseek24/harness/code/jfif.c/jfif_load/jfif_free.c:22
(gdb) p fp
$1 = (FILE *) 0x7d4ff6e20300

(gdb) r
Starting program: /home/ambrose/vsproject/HIMFuzz/harness/output/ffjpeg_deepseek24/crashes/jfif.c/jfif_load/jfif_free/jfif_free output/default/crashes/id:000020,sig:04,src:000187,time:13717115,execs:4158014,op:havoc,rep:4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
0x0000555555669169 in jfif_load (file=0x7fffffffdea9 "output/default/crashes/id:000020,sig:04,src:000187,time:13717115,execs:4158014,op:havoc,rep:4") at /home/ambrose/vsproject/TestLib/ffjpeg/src/jfif.c:171
171                 size |= fgetc(fp) << 0;
(gdb) bt
#0  0x0000555555669169 in jfif_load (
    file=0x7fffffffdea9 "output/default/crashes/id:000020,sig:04,src:000187,time:13717115,execs:4158014,op:havoc,rep:4")
    at /home/ambrose/vsproject/TestLib/ffjpeg/src/jfif.c:171
#1  0x0000555555695e4b in main (argc=2, argv=0x7fffffffdae8)
    at output/ffjpeg_deepseek24/harness/code/jfif.c/jfif_load/jfif_free.c:22
(gdb) p fp
$1 = (FILE *) 0x7d4ff6e20300