Bug 1943424
| Summary: | CVE-2021-32493 djvulibre: Heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file [fedora-all] | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | 1vanChen <houyunsong> | ||||||
| Component: | djvulibre | Assignee: | Marek Kašík <mkasik> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | rawhide | CC: | tpopela | ||||||
| Target Milestone: | --- | Keywords: | Security, SecurityTracking | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | djvulibre-3.5.27-24.fc32 djvulibre-3.5.27-27.fc33 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-11-25 15:19:28 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1943690 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1774554 [details]
Patch preventing an unsigned short overflow
The issue here is that summation of 2 unsigned shorts is stored in another unsigned short and this overflow for the reproducer.
I've added check for this there.
(In reply to Marek Kašík from comment #1) > Created attachment 1774554 [details] > Patch preventing an unsigned short overflow > > The issue here is that summation of 2 unsigned shorts is stored in another > unsigned short and this overflow for the reproducer. > I've added check for this there. This patch looks great! I cannot reproduce this bug after applying this patch. This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This has been fixed quite some time ago (since Fedora 32). |
Created attachment 1766485 [details] poc file To Reproduce ```shell ./ddjvu ./poc.djvu ``` Debug Info ```shell # ./ddjvu ./poc.djvu ==6413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffff2ddce0b at pc 0x0000004985ac bp 0x7ffff2864950 sp 0x7ffff2864118 WRITE of size 16383 at 0x7ffff2ddce0b thread T2 #0 0x4985ab in __asan_memset /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 #1 0x6eb76e in DJVU::GBitmap::decode(unsigned char*) /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:1311:18 #2 0x6eb197 in DJVU::GBitmap::uncompress() /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:426:5 #3 0x56f03c in DJVU::GBitmap::operator[](int) /src/djvulibre-ddjvu/libdjvu/./GBitmap.h:568:5 #4 0x811c17 in DJVU::JB2Dict::JB2Codec::code_bitmap_by_cross_coding(DJVU::GBitmap&, DJVU::GP<DJVU::GBitmap>&, int) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:883:5 #5 0x8154a0 in DJVU::JB2Dict::JB2Codec::code_record(int&, DJVU::GP<DJVU::JB2Image> const&, DJVU::JB2Shape*, DJVU::JB2Blit*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1202:9 #6 0x817253 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::GP<DJVU::JB2Image> const&) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1353:11 #7 0x8092e2 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::JB2Image*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:100:58 #8 0x809168 in DJVU::JB2Image::decode(DJVU::GP<DJVU::ByteStream> const&, DJVU::GP<DJVU::JB2Dict> (*)(void*), void*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:336:9 #9 0x621c70 in DJVU::DjVuFile::decode_chunk(DJVU::GUTF8String const&, DJVU::GP<DJVU::ByteStream> const&, bool, bool, bool) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:932:11 #10 0x61835b in DJVU::DjVuFile::decode(DJVU::GP<DJVU::ByteStream> const&) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1255:25 #11 0x616b2d in DJVU::DjVuFile::decode_func() /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:484:5 #12 0x61689b in DJVU::DjVuFile::static_decode_func(void*) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:464:9 #13 0x77b07a in DJVU::GThread::start(void*) /src/djvulibre-ddjvu/libdjvu/GThreads.cpp:392:11 #14 0x7ffff6ceb6b9 in start_thread /build/glibc-e6zv40/glibc-2.23/nptl/pthread_create.c:333 #15 0x7ffff66014dc in clone /build/glibc-e6zv40/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x7ffff2ddce0b is located 0 bytes to the right of 349707-byte region [0x7ffff2d87800,0x7ffff2ddce0b) allocated by thread T2 here: #0 0x4c8b0d in operator new(unsigned long) /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3 #1 0x75a76a in DJVU::GPBufferBase::GPBufferBase(void*&, unsigned long, unsigned long) /src/djvulibre-ddjvu/libdjvu/GSmartPointer.cpp:155:12 #2 0x75a379 in DJVU::GPBufferBase::resize(unsigned long, unsigned long) /src/djvulibre-ddjvu/libdjvu/GSmartPointer.cpp:187:20 #3 0x6eb4df in DJVU::GBitmap::decode(unsigned char*) /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:1293:17 #4 0x6eb197 in DJVU::GBitmap::uncompress() /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:426:5 #5 0x56f03c in DJVU::GBitmap::operator[](int) /src/djvulibre-ddjvu/libdjvu/./GBitmap.h:568:5 #6 0x811c17 in DJVU::JB2Dict::JB2Codec::code_bitmap_by_cross_coding(DJVU::GBitmap&, DJVU::GP<DJVU::GBitmap>&, int) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:883:5 #7 0x8154a0 in DJVU::JB2Dict::JB2Codec::code_record(int&, DJVU::GP<DJVU::JB2Image> const&, DJVU::JB2Shape*, DJVU::JB2Blit*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1202:9 #8 0x817253 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::GP<DJVU::JB2Image> const&) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1353:11 #9 0x8092e2 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::JB2Image*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:100:58 #10 0x809168 in DJVU::JB2Image::decode(DJVU::GP<DJVU::ByteStream> const&, DJVU::GP<DJVU::JB2Dict> (*)(void*), void*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:336:9 #11 0x621c70 in DJVU::DjVuFile::decode_chunk(DJVU::GUTF8String const&, DJVU::GP<DJVU::ByteStream> const&, bool, bool, bool) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:932:11 #12 0x61835b in DJVU::DjVuFile::decode(DJVU::GP<DJVU::ByteStream> const&) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1255:25 #13 0x616b2d in DJVU::DjVuFile::decode_func() /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:484:5 #14 0x61689b in DJVU::DjVuFile::static_decode_func(void*) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:464:9 #15 0x77b07a in DJVU::GThread::start(void*) /src/djvulibre-ddjvu/libdjvu/GThreads.cpp:392:11 #16 0x7ffff6ceb6b9 in start_thread /build/glibc-e6zv40/glibc-2.23/nptl/pthread_create.c:333 Thread T2 created by T0 here: #0 0x4838ba in pthread_create /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3 #1 0x77b5a0 in DJVU::GThread::create(void (*)(void*), void*) /src/djvulibre-ddjvu/libdjvu/GThreads.cpp:440:13 #2 0x62552c in DJVU::DjVuFile::start_decode() /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1341:22 #3 0x62499b in DJVU::DjVuFile::resume_decode(bool) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1366:7 #4 0x5fa9dd in DJVU::DjVuDocument::get_page(int, bool, DJVU::DjVuPort*) const /src/djvulibre-ddjvu/libdjvu/DjVuDocument.cpp:1070:12 #5 0x569f7a in DJVU::DjVuDocument::get_page(int, bool, DJVU::DjVuPort*) /src/djvulibre-ddjvu/libdjvu/./DjVuDocument.h:604:53 #6 0x5363cd in ddjvu_page_create(DJVU::ddjvu_document_s*, DJVU::ddjvu_job_s*, char const*, int) /src/djvulibre-ddjvu/libdjvu/ddjvuapi.cpp:1580:23 #7 0x4d33f6 in dopage(int) /src/djvulibre-ddjvu/tools/ddjvu.cpp:733:17 #8 0x4d4717 in parse_pagespec(char const*, int, void (*)(int)) /src/djvulibre-ddjvu/tools/ddjvu.cpp:825:11 #9 0x4df19b in main /src/djvulibre-ddjvu/tools/ddjvu.cpp:1214:3 #10 0x7ffff651a83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset Shadow bytes around the buggy address: 0x10007e5b3970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e5b3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e5b3990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e5b39a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e5b39b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007e5b39c0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e5b39d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e5b39e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e5b39f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e5b3a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e5b3a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==6413==ABORTING ``` gdbdebug info: ```shell [----------------------------------registers-----------------------------------] RAX: 0x7ffff00bde3f --> 0x0 RBX: 0x0 RCX: 0xcd83 RDX: 0x3fff RSI: 0x0 RDI: 0x7ffff00c1e3e --> 0x0 RBP: 0x7ffff5765bf0 --> 0x7ffff5765c10 --> 0x7ffff5765c40 --> 0x7ffff5765ce0 --> 0x7ffff5765d60 --> 0x7ffff5765dd0 (--> ...) RSP: 0x7ffff5765b50 --> 0x7ffff5765b70 --> 0x7ffff00bde3f --> 0x0 RIP: 0x5aece7 (<_ZN4DJVU7GBitmap6decodeEPh+631>: call 0x405f50 <memset@plt>) R8 : 0x0 R9 : 0x6f000 R10: 0x7ffff0000078 --> 0x7ffff00c3e70 --> 0x0 R11: 0x206 R12: 0x7ffe R13: 0x3fff R14: 0x3fff R15: 0xec5d EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x5aecdb <_ZN4DJVU7GBitmap6decodeEPh+619>: lea edx,[r13-0x1] 0x5aecdf <_ZN4DJVU7GBitmap6decodeEPh+623>: add rdx,0x1 0x5aece3 <_ZN4DJVU7GBitmap6decodeEPh+627>: movzx esi,BYTE PTR [rbp-0x50] => 0x5aece7 <_ZN4DJVU7GBitmap6decodeEPh+631>: call 0x405f50 <memset@plt> 0x5aecec <_ZN4DJVU7GBitmap6decodeEPh+636>: mov r12d,r13d 0x5aecef <_ZN4DJVU7GBitmap6decodeEPh+639>: shr r12d,0x18 0x5aecf3 <_ZN4DJVU7GBitmap6decodeEPh+643>: mov r15b,0x1 0x5aecf6 <_ZN4DJVU7GBitmap6decodeEPh+646>: test r15b,r15b Guessed arguments: arg[0]: 0x7ffff00c1e3e --> 0x0 arg[1]: 0x0 arg[2]: 0x3fff [------------------------------------stack-------------------------------------] 0000| 0x7ffff5765b50 --> 0x7ffff5765b70 --> 0x7ffff00bde3f --> 0x0 0008| 0x7ffff5765b58 --> 0x7ffff00016b5 --> 0xffff60ec00ffff00 0016| 0x7ffff5765b60 --> 0x3ffc 0024| 0x7ffff5765b68 --> 0x0 0032| 0x7ffff5765b70 --> 0x7ffff00bde3f --> 0x0 0040| 0x7ffff5765b78 --> 0x5aa082 (<_ZN4DJVU7GBitmap9minborderEi+626>: jmp 0x5aa1a9 <_ZN4DJVU7GBitmap9minborderEi+921>) 0048| 0x7ffff5765b80 --> 0x0 0056| 0x7ffff5765b88 --> 0xc ('\x0c') [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x00000000005aece7 1311 row[c++] = p; gdb-peda$ Thread 3 "ddjvu" received signal SIGSEGV, Segmentation fault. ``` Environment: - version : djvulibre master (ee314b880c926e884be77d53ee459d9850c9c7f0) - OS: Ubuntu 16.04 - clang version: 11 Credit: 1vanChen of NSFOCUS Security Team