Bug 1208075

Summary: jbig2dec: heap-based buffer overflow in jbig2_decode_symbol_dict()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: pavel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-08 17:59:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1208076, 1208077    
Bug Blocks:    
Attachments:
Description Flags
crash.jb2 none

Description Vasyl Kaigorodov 2015-04-01 10:33:50 UTC 
Below issue was reported at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779849:
"""
jbig2dec crashes on the attached file:

$ ./jbig2dec crash.jb2
jbig2dec WARNING No OOB signalling end of height class 2 (segment 0x00)
*** Error in `/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec': free(): invalid pointer: 0x08b98240 ***
Aborted

Rebuilding the package with "-fsanitize=address" reveals that the root 
cause is a heap-based buffer overflow:

$ ./jbig2dec crash.jb2
=================================================================
==4112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4303f6c at pc 0xf726b146 bp 0xff8eccc8 sp 0xff8eccbc
WRITE of size 4 at 0xf4303f6c thread T0
   #0 0xf726b145 in jbig2_decode_symbol_dict /home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:626
   #1 0xf726b145 in jbig2_symbol_dictionary /home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:1054
   #2 0xf7263cd0 in jbig2_parse_segment /home/jwilk/jbig2dec-0.11+20120125/jbig2_segment.c:251
   #3 0xf725d598 in jbig2_data_in /home/jwilk/jbig2dec-0.11+20120125/jbig2.c:356
   #4 0x80499d5 in main /home/jwilk/jbig2dec-0.11+20120125/jbig2dec.c:449
   #5 0xf7035a62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
   #6 0x804a6eb (/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec+0x804a6eb)

0xf4303f6c is located 0 bytes to the right of 7788-byte region [0xf4302100,0xf4303f6c)
allocated by thread T0 here:
   #0 0xf72e16e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
   #1 0xf725c237 in jbig2_default_alloc /home/jwilk/jbig2dec-0.11+20120125/jbig2.c:35
"""

No patch for this issue is available yet.
Comment 1 Vasyl Kaigorodov 2015-04-01 10:34:22 UTC 
Created attachment 1009615 [details]
crash.jb2
Comment 2 Vasyl Kaigorodov 2015-04-01 10:34:43 UTC 
Created jbig2dec tracking bugs for this issue:

Affects: fedora-all [bug 1208076]
Affects: epel-all [bug 1208077]