graphicsmagick:coder_JPC_fuzzer: Floating-point-exception in jpc_pi_next

[bobfriesenhahn]

OSS-Fuzz has discovered a floating point exception issue in JasPer code and created issue 518165249. The input format is forced to be "JPC" format so auto-detection of the format is over-ridden. The build type is 'asan_i386' so this is a 32-bit Intel CPU build.

This is the console output and stack trace information from the OSS-Fuzz report:

warning: trailing garbage in marker segment (24 bytes)
AddressSanitizer:DEADLYSIGNAL
;=================================================================
'==251==ERROR: AddressSanitizer: FPE on unknown address 0x5712f512 (pc 0x5712f512 bp 0xffb2ada8 sp 0xffb2acd0 T0)
#0 0x5712f512 in jpc_pi_nextrpcl jasper/src/libjasper/jpc/jpc_t2cod.c:340:19
#1 0x5712f512 in jpc_pi_next jasper/src/libjasper/jpc/jpc_t2cod.c:158:10
#2 0x57135606 in jpc_dec_decodepkts jasper/src/libjasper/jpc/jpc_t2dec.c:489:14
#3 0x570e3e3e in jpc_dec_process_sod jasper/src/libjasper/jpc/jpc_dec.c:641:6
#4 0x570dedc8 in jpc_dec_decode jasper/src/libjasper/jpc/jpc_dec.c:434:10
#5 0x570dedc8 in jpc_decode jasper/src/libjasper/jpc/jpc_dec.c:270:6
#6 0x570ab343 in jas_image_decode jasper/src/libjasper/base/jas_image.c:477:16
#7 0x56e66c92 in ReadJP2Image /src/graphicsmagick/coders/jp2.c:889:23
#8 0x56c29c1d in ReadImage /src/graphicsmagick/magick/constitute.c:1682:13
#9 0x56bd320a in BlobToImage /src/graphicsmagick/magick/blob.c:785:13
#10 0x56b36722 in Magick::Image::read(Magick::Blob const&) /src/graphicsmagick/Magick++/lib/Image.cpp:1601:5
#11 0x56b27813 in LLVMFuzzerTestOneInput /src/graphicsmagick/fuzzing/coder_fuzzer.cc:24:11
#12 0x569b9177 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
#13 0x569a4272 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
#14 0x569a9c95 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
#15 0x569d54e7 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0xf7c09ed4 in __libc_start_main
#17 0x5699d934 in _start

;==251==Register values:
eax = 0x00000000 ebx = 0x58dcc000 ecx = 0x0000001b edx = 0x00000000
edi = 0x00000000 esi = 0x00000000 ebp = 0xffb2ada8 esp = 0xffb2acd0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_graphicsmagick_364babd4f1406e0e2b68256230a27a3911dd0072/revisions/coder_JPC_fuzzer+0xb0e512)

These two testcase input files were provided:

clusterfuzz-testcase-coder_JPC_fuzzer-6248882639273984.gz

clusterfuzz-testcase-minimized-coder_JPC_fuzzer-6248882639273984.gz