Bug 1943424 - CVE-2021-32493 djvulibre: Heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file [fedora-all]
Summary: CVE-2021-32493 djvulibre: Heap buffer overflow in function DJVU::GBitmap::dec...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: djvulibre
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Marek Kašík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2021-32493
TreeView+ depends on / blocked
 
Reported: 2021-03-26 03:18 UTC by 1vanChen
Modified: 2021-11-25 15:19 UTC (History)
1 user (show)

Fixed In Version: djvulibre-3.5.27-24.fc32 djvulibre-3.5.27-27.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-25 15:19:28 UTC
Type: Bug


Attachments (Terms of Use)
poc file (768 bytes, application/octet-stream)
2021-03-26 03:18 UTC, 1vanChen
no flags Details
Patch preventing an unsigned short overflow (648 bytes, patch)
2021-04-22 16:49 UTC, Marek Kašík
no flags Details | Diff

Description 1vanChen 2021-03-26 03:18:17 UTC
Created attachment 1766485 [details]
poc file

To Reproduce

```shell
./ddjvu ./poc.djvu
```

Debug Info

```shell
# ./ddjvu ./poc.djvu
==6413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffff2ddce0b at pc 0x0000004985ac bp 0x7ffff2864950 sp 0x7ffff2864118
WRITE of size 16383 at 0x7ffff2ddce0b thread T2
    #0 0x4985ab in __asan_memset /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
    #1 0x6eb76e in DJVU::GBitmap::decode(unsigned char*) /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:1311:18
    #2 0x6eb197 in DJVU::GBitmap::uncompress() /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:426:5
    #3 0x56f03c in DJVU::GBitmap::operator[](int) /src/djvulibre-ddjvu/libdjvu/./GBitmap.h:568:5
    #4 0x811c17 in DJVU::JB2Dict::JB2Codec::code_bitmap_by_cross_coding(DJVU::GBitmap&, DJVU::GP<DJVU::GBitmap>&, int) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:883:5
    #5 0x8154a0 in DJVU::JB2Dict::JB2Codec::code_record(int&, DJVU::GP<DJVU::JB2Image> const&, DJVU::JB2Shape*, DJVU::JB2Blit*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1202:9
    #6 0x817253 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::GP<DJVU::JB2Image> const&) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1353:11
    #7 0x8092e2 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::JB2Image*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:100:58
    #8 0x809168 in DJVU::JB2Image::decode(DJVU::GP<DJVU::ByteStream> const&, DJVU::GP<DJVU::JB2Dict> (*)(void*), void*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:336:9
    #9 0x621c70 in DJVU::DjVuFile::decode_chunk(DJVU::GUTF8String const&, DJVU::GP<DJVU::ByteStream> const&, bool, bool, bool) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:932:11
    #10 0x61835b in DJVU::DjVuFile::decode(DJVU::GP<DJVU::ByteStream> const&) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1255:25
    #11 0x616b2d in DJVU::DjVuFile::decode_func() /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:484:5
    #12 0x61689b in DJVU::DjVuFile::static_decode_func(void*) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:464:9
    #13 0x77b07a in DJVU::GThread::start(void*) /src/djvulibre-ddjvu/libdjvu/GThreads.cpp:392:11
    #14 0x7ffff6ceb6b9 in start_thread /build/glibc-e6zv40/glibc-2.23/nptl/pthread_create.c:333
    #15 0x7ffff66014dc in clone /build/glibc-e6zv40/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x7ffff2ddce0b is located 0 bytes to the right of 349707-byte region [0x7ffff2d87800,0x7ffff2ddce0b)
allocated by thread T2 here:
    #0 0x4c8b0d in operator new(unsigned long) /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x75a76a in DJVU::GPBufferBase::GPBufferBase(void*&, unsigned long, unsigned long) /src/djvulibre-ddjvu/libdjvu/GSmartPointer.cpp:155:12
    #2 0x75a379 in DJVU::GPBufferBase::resize(unsigned long, unsigned long) /src/djvulibre-ddjvu/libdjvu/GSmartPointer.cpp:187:20
    #3 0x6eb4df in DJVU::GBitmap::decode(unsigned char*) /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:1293:17
    #4 0x6eb197 in DJVU::GBitmap::uncompress() /src/djvulibre-ddjvu/libdjvu/GBitmap.cpp:426:5
    #5 0x56f03c in DJVU::GBitmap::operator[](int) /src/djvulibre-ddjvu/libdjvu/./GBitmap.h:568:5
    #6 0x811c17 in DJVU::JB2Dict::JB2Codec::code_bitmap_by_cross_coding(DJVU::GBitmap&, DJVU::GP<DJVU::GBitmap>&, int) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:883:5
    #7 0x8154a0 in DJVU::JB2Dict::JB2Codec::code_record(int&, DJVU::GP<DJVU::JB2Image> const&, DJVU::JB2Shape*, DJVU::JB2Blit*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1202:9
    #8 0x817253 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::GP<DJVU::JB2Image> const&) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:1353:11
    #9 0x8092e2 in DJVU::JB2Dict::JB2Codec::Decode::code(DJVU::JB2Image*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:100:58
    #10 0x809168 in DJVU::JB2Image::decode(DJVU::GP<DJVU::ByteStream> const&, DJVU::GP<DJVU::JB2Dict> (*)(void*), void*) /src/djvulibre-ddjvu/libdjvu/JB2Image.cpp:336:9
    #11 0x621c70 in DJVU::DjVuFile::decode_chunk(DJVU::GUTF8String const&, DJVU::GP<DJVU::ByteStream> const&, bool, bool, bool) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:932:11
    #12 0x61835b in DJVU::DjVuFile::decode(DJVU::GP<DJVU::ByteStream> const&) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1255:25
    #13 0x616b2d in DJVU::DjVuFile::decode_func() /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:484:5
    #14 0x61689b in DJVU::DjVuFile::static_decode_func(void*) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:464:9
    #15 0x77b07a in DJVU::GThread::start(void*) /src/djvulibre-ddjvu/libdjvu/GThreads.cpp:392:11
    #16 0x7ffff6ceb6b9 in start_thread /build/glibc-e6zv40/glibc-2.23/nptl/pthread_create.c:333

Thread T2 created by T0 here:
    #0 0x4838ba in pthread_create /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x77b5a0 in DJVU::GThread::create(void (*)(void*), void*) /src/djvulibre-ddjvu/libdjvu/GThreads.cpp:440:13
    #2 0x62552c in DJVU::DjVuFile::start_decode() /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1341:22
    #3 0x62499b in DJVU::DjVuFile::resume_decode(bool) /src/djvulibre-ddjvu/libdjvu/DjVuFile.cpp:1366:7
    #4 0x5fa9dd in DJVU::DjVuDocument::get_page(int, bool, DJVU::DjVuPort*) const /src/djvulibre-ddjvu/libdjvu/DjVuDocument.cpp:1070:12
    #5 0x569f7a in DJVU::DjVuDocument::get_page(int, bool, DJVU::DjVuPort*) /src/djvulibre-ddjvu/libdjvu/./DjVuDocument.h:604:53
    #6 0x5363cd in ddjvu_page_create(DJVU::ddjvu_document_s*, DJVU::ddjvu_job_s*, char const*, int) /src/djvulibre-ddjvu/libdjvu/ddjvuapi.cpp:1580:23
    #7 0x4d33f6 in dopage(int) /src/djvulibre-ddjvu/tools/ddjvu.cpp:733:17
    #8 0x4d4717 in parse_pagespec(char const*, int, void (*)(int)) /src/djvulibre-ddjvu/tools/ddjvu.cpp:825:11
    #9 0x4df19b in main /src/djvulibre-ddjvu/tools/ddjvu.cpp:1214:3
    #10 0x7ffff651a83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /local/mnt/workspace/tmp/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset
Shadow bytes around the buggy address:
  0x10007e5b3970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e5b3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e5b3990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e5b39a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e5b39b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007e5b39c0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e5b39d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e5b39e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e5b39f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e5b3a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e5b3a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6413==ABORTING
```



gdbdebug info:

```shell
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff00bde3f --> 0x0
RBX: 0x0
RCX: 0xcd83
RDX: 0x3fff
RSI: 0x0
RDI: 0x7ffff00c1e3e --> 0x0
RBP: 0x7ffff5765bf0 --> 0x7ffff5765c10 --> 0x7ffff5765c40 --> 0x7ffff5765ce0 --> 0x7ffff5765d60 --> 0x7ffff5765dd0 (--> ...)
RSP: 0x7ffff5765b50 --> 0x7ffff5765b70 --> 0x7ffff00bde3f --> 0x0
RIP: 0x5aece7 (<_ZN4DJVU7GBitmap6decodeEPh+631>:        call   0x405f50 <memset@plt>)
R8 : 0x0
R9 : 0x6f000
R10: 0x7ffff0000078 --> 0x7ffff00c3e70 --> 0x0
R11: 0x206
R12: 0x7ffe
R13: 0x3fff
R14: 0x3fff
R15: 0xec5d
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5aecdb <_ZN4DJVU7GBitmap6decodeEPh+619>:   lea    edx,[r13-0x1]
   0x5aecdf <_ZN4DJVU7GBitmap6decodeEPh+623>:   add    rdx,0x1
   0x5aece3 <_ZN4DJVU7GBitmap6decodeEPh+627>:   movzx  esi,BYTE PTR [rbp-0x50]
=> 0x5aece7 <_ZN4DJVU7GBitmap6decodeEPh+631>:   call   0x405f50 <memset@plt>
   0x5aecec <_ZN4DJVU7GBitmap6decodeEPh+636>:   mov    r12d,r13d
   0x5aecef <_ZN4DJVU7GBitmap6decodeEPh+639>:   shr    r12d,0x18
   0x5aecf3 <_ZN4DJVU7GBitmap6decodeEPh+643>:   mov    r15b,0x1
   0x5aecf6 <_ZN4DJVU7GBitmap6decodeEPh+646>:   test   r15b,r15b
Guessed arguments:
arg[0]: 0x7ffff00c1e3e --> 0x0
arg[1]: 0x0
arg[2]: 0x3fff
[------------------------------------stack-------------------------------------]
0000| 0x7ffff5765b50 --> 0x7ffff5765b70 --> 0x7ffff00bde3f --> 0x0
0008| 0x7ffff5765b58 --> 0x7ffff00016b5 --> 0xffff60ec00ffff00
0016| 0x7ffff5765b60 --> 0x3ffc
0024| 0x7ffff5765b68 --> 0x0
0032| 0x7ffff5765b70 --> 0x7ffff00bde3f --> 0x0
0040| 0x7ffff5765b78 --> 0x5aa082 (<_ZN4DJVU7GBitmap9minborderEi+626>:  jmp    0x5aa1a9 <_ZN4DJVU7GBitmap9minborderEi+921>)
0048| 0x7ffff5765b80 --> 0x0
0056| 0x7ffff5765b88 --> 0xc ('\x0c')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00000000005aece7      1311            row[c++] = p;
gdb-peda$
Thread 3 "ddjvu" received signal SIGSEGV, Segmentation fault.
```

Environment:

- version : djvulibre master (ee314b880c926e884be77d53ee459d9850c9c7f0)
- OS: Ubuntu 16.04
- clang version: 11

Credit: 1vanChen of NSFOCUS Security Team

Comment 1 Marek Kašík 2021-04-22 16:49:40 UTC
Created attachment 1774554 [details]
Patch preventing an unsigned short overflow

The issue here is that summation of 2 unsigned shorts is stored in another unsigned short and this overflow for the reproducer.
I've added check for this there.

Comment 2 1vanChen 2021-04-23 01:47:16 UTC
(In reply to Marek Kašík from comment #1)
> Created attachment 1774554 [details]
> Patch preventing an unsigned short overflow
> 
> The issue here is that summation of 2 unsigned shorts is stored in another
> unsigned short and this overflow for the reproducer.
> I've added check for this there.

This patch looks great! I cannot reproduce this bug after applying this patch.

Comment 3 Ben Cotton 2021-11-04 14:03:00 UTC
This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Ben Cotton 2021-11-04 14:32:12 UTC
This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Ben Cotton 2021-11-04 15:29:55 UTC
This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Marek Kašík 2021-11-25 15:19:28 UTC
This has been fixed quite some time ago (since Fedora 32).


Note You need to log in before you can comment on or make changes to this bug.