Bug 1344214

Summary: libjpeg: CPU overconsumption using extraneous progressive scans
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alonbl, bmcclain, cfergeau, dblechte, dkholia, eedri, erik-fedora, gklein, klember, lsurette, mgoldboi, michal.skrivanek, negativo17, phracek, rbalakri, rh-spice-bugs, rjones, sardella, sherold, srevivo, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-13 04:26:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1344218, 1344220    
Bug Blocks: 1344217    

Description Andrej Nemec 2016-06-09 08:18:27 UTC 
JPEG has the ability to encode images progressively–that is, to encode images into multiple “scans” of differing resolutions, such that the lowest-resolution scan is decoded first and subsequent scans fill in the image detail. The progressive JPEG format also provides a feature, called an “EOB run”, that allows it to represent large blocks of zeroes using only a few bytes.

One can combine these two features to generate an image with a very large number of progressive scans (say, 80,000), each of which uses the EOB run feature to represent millions of zero-value pixels using less than 100 bytes. Because millions of pixels are being represented, each of these scans takes significant time to decode, and the decode time goes up linearly with the number of 100-byte scans one adds to the image.

Mitigation:

These images are entirely legal, as the JPEG standard permits an unlimited number of progressive scans. However, it is hard to imagine any real-world application needing more than 100. Therefore, limiting the number to 1,000 before exiting with an error should avoid this problem while not preventing the decoding of any legal, non-hostile JPEGs.

External references:

https://docs.google.com/document/d/17exDyGr2txYJ5Ntv4Q8B3MnLSvbcSfs5dje_xuDZPNA
Comment 1 Andrej Nemec 2016-06-09 08:24:42 UTC 
Created libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1344218]
Comment 2 Andrej Nemec 2016-06-09 08:24:53 UTC 
Created mingw-libjpeg-turbo tracking bugs for this issue:

Affects: fedora-all [bug 1344220]