Bug 1803296 - Heap out-of-bound read in process_COM of jhead 3.04
Summary: Heap out-of-bound read in process_COM of jhead 3.04
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: jhead
Version: epel8
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Adrian Reber
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-15 02:44 UTC by puzzor
Modified: 2020-02-15 03:05 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
PoC and analysis (2.73 KB, application/zip)
2020-02-15 02:44 UTC, puzzor 		no flags Details
View All

Description puzzor 2020-02-15 02:44:27 UTC 
Created attachment 1663208 [details]
PoC and analysis

Description of problem:


Version-Release number of selected component (if applicable):
3.04

How reproducible:
stable

Steps to Reproduce:
1.git clone the code from https://salsa.debian.org/debian/jhead/, or from the upstream.

2.compile the code with ASAN
3.run ./jhead poc

Actual results:
=================================================================
==25565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x000000407465 bp 0x7ffd83a3de00 sp 0x7ffd83a3ddf0
READ of size 1 at 0x60400000e000 thread T0
    #0 0x407464 in process_COM /home/ubuntu/jhead-3.04/jpgfile.c:51
    #1 0x407fce in ReadJpegSections /home/ubuntu/jhead-3.04/jpgfile.c:241
    #2 0x408210 in ReadJpegFile /home/ubuntu/jhead-3.04/jpgfile.c:379
    #3 0x404e66 in ProcessFile /home/ubuntu/jhead-3.04/jhead.c:905
    #4 0x4025d5 in main /home/ubuntu/jhead-3.04/jhead.c:1756
    #5 0x7f01c329082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x403b08 in _start (/home/ubuntu/jhead-3.04/jhead+0x403b08)

0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x7f01c39db602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x407634 in ReadJpegSections /home/ubuntu/jhead-3.04/jpgfile.c:173

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/jhead-3.04/jpgfile.c:51 process_COM
Shadow bytes around the buggy address:
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25565==ABORTING


Expected results:


Additional info:
in ``jpgqguess.c`` function ``process_DQT`` line 109, when ``a`` equals ``length-1``, ``Data[a++]`` will cause an OOB read.


We have reported to the upstream, but the upstream is not active responsive, so we post the bug here
Note You need to log in before you can comment on or make changes to this bug.