Integer Overflow at src/lepton/jpgcoder.cc:4160

[hongxuchen]

We found with our fuzzer an interger overflow error inside read_ujpg from jpgcoder.cc when feeding lepton 3f6d98c with a crafted lep file.

POC:
https://github.com/ntu-sec/pocs/blob/master/lepton-3f6d98c/crashes/iof_jpgcoder.cc:4160_1.lep?raw=true

When running lepton -unjailed $POC /tmp/test.jpg, it output the messages:

lepton v1.0-1.2.1-171-g3f6d98c
START ACHIEVED 1531794366 328204
src/lepton/jpgcoder.cc:4160:83: runtime error: signed integer overflow: -1509949439 * 2 cannot be represented in type 'int'
Assert Failed: false && "Data not properly zlib coded" at (src/lepton/jpgcoder.cc:4162)

When running lepton $POC /tmp/test.jpg, it crashes with message like:

lepton v1.0-1.2.1-171-g3f6d98c
=================================================================
[1]    97197 invalid system call  ~/FOT/lepton/lepton ./hbo_inflate.c:1170_2.lep