get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. Upstream patch: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55 Upstream issue: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258 References: https://github.com/mozilla/mozjpeg/issues/299
Created libjpeg-turbo tracking bugs for this issue: Affects: fedora-28 [bug 1687428] Created mingw-libjpeg-turbo tracking bugs for this issue: Affects: epel-7 [bug 1687430] Affects: fedora-28 [bug 1687429]
Trivial to reproducer on all Red Hat Enterprise Linux 6 and 7. ``` valgrind cjpeg -outfile /dev/null poc.bmp ==28000== Memcheck, a memory error detector ==28000== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==28000== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==28000== Command: cjpeg -outfile /dev/null poc.bmp ==28000== ==28000== Invalid read of size 1 ==28000== at 0x402213: get_8bit_row (rdbmp.c:144) ==28000== by 0x40119D: main (cjpeg.c:613) ==28000== Address 0x545d120 is 16 bytes after a block of size 80 in arena "client" ==28000== ==28000== Invalid read of size 1 ==28000== at 0x402222: get_8bit_row (rdbmp.c:145) ==28000== by 0x40119D: main (cjpeg.c:613) ==28000== Address 0x545d140 is 16 bytes before a block of size 103 alloc'd ==28000== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==28000== by 0x4E62BE3: alloc_large (jmemmgr.c:376) ==28000== by 0x4E62E46: alloc_sarray (jmemmgr.c:453) ==28000== by 0x4E4A62E: jinit_c_prep_controller (jcprepct.c:348) ==28000== by 0x4E466A9: jinit_compress_master (jcinit.c:39) ==28000== by 0x4E3A253: jpeg_start_compress (jcapistd.c:50) ==28000== by 0x40117D: main (cjpeg.c:609) ==28000== ==28000== Use of uninitialised value of size 8 ==28000== at 0x4E3D12D: encode_one_block (jchuff.c:487) ==28000== by 0x4E3D12D: encode_mcu_huff (jchuff.c:618) ==28000== by 0x4E3AD06: compress_data (jccoefct.c:204) ==28000== by 0x4E46709: process_data_simple_main (jcmainct.c:135) ==28000== by 0x4E3A334: jpeg_write_scanlines (jcapistd.c:108) ==28000== by 0x4011B0: main (cjpeg.c:614) ==28000== ... ``` get_8bit_row invalid read looks to correspond to upstream ASAN error.
Upped C to low. May be potential for information disclosure based on OOB read.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2052 https://access.redhat.com/errata/RHSA-2019:2052
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-14498
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3705 https://access.redhat.com/errata/RHSA-2019:3705