Bug 226965 - Buffer overflow in libjpeg's wrjpgcom
Buffer overflow in libjpeg's wrjpgcom
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libjpeg (Show other bugs)
6
All All
low Severity low
: ---
: ---
Assigned To: Tom Lane
http://www.missoulian.com/specials/be...
impact=none
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-02 06:00 EST by Lubomir Kundrak
Modified: 2013-07-02 23:12 EDT (History)
1 user (show)

See Also:
Fixed In Version: 6b-38.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-11 11:23:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Path that fixes buffer overlow in libjpeg's wrjpgcom during excessive mooes (846 bytes, patch)
2007-02-02 06:05 EST, Lubomir Kundrak
no flags Details | Diff

  None (edit)
Description Lubomir Kundrak 2007-02-02 06:00:23 EST
Description of problem:

I tried to add a comment to quote how much my cow mooes to its picture.
Unforunately that was too big for wrjpgcom's buffer.

$ wrjpgcom -comment $(perl -e 'print "\"m",('o' x 70000),"\""') cow.jpeg
>moocow.jpeg
*** buffer overflow detected ***: wrjpgcom terminated

The problem is, that when I quote pass "moo...o" quoted, the following code
gets executed:

449       /* If the comment text starts with '"', then we are probably running
450        * under MS-DOG and must parse out the quoted string ourselves.  Sigh.
451        */
452       if (comment_arg[0] == '"') {
453         comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
454         if (comment_arg == NULL)
455           ERREXIT("Insufficient memory");
456         strcpy(comment_arg, argv[argn]+1);
457         for (;;) {
458           comment_length = (unsigned int) strlen(comment_arg);
459           if (comment_length > 0 && comment_arg[comment_length-1] == '"') {
460             comment_arg[comment_length-1] = '\0'; /* zap terminating quote */
461             break;
462           }
463           if (++argn >= argc)
464             ERREXIT("Missing ending quote mark");
465           strcat(comment_arg, " ");
466           strcat(comment_arg, argv[argn]);
467         }
468       }

as comment_argument is allocated at 453 as statically sized buffer, it might
be overflowed on line 456 with strcpy. In case my operating system limited
the size of the command line argument, fine I can overflow it with following
arguments on lines 465 and 466.

I'd be glad to have a quotation of my cow stored with quotes, so I assume
the best way would be to remove that MS-DOS specific code.

Version-Release number of selected component (if applicable):

At least RHEL-5 and FC-6.

How reproducible:

Always.

Steps to Reproduce:

See the command in the description.

Actual results:

In FORTIFY_SOURCE compiled releases this gets caught by libc.
Otherwise it causes a memory corruption and will likely result in
receiving a SIGSEGV signal.

Expected results:

Tell the world how my cow moooooooes :(

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.
Comment 1 Lubomir Kundrak 2007-02-02 06:05:04 EST
Created attachment 147210 [details]
Path that fixes buffer overlow in libjpeg's wrjpgcom during excessive mooes

I propose that the evil code just gets commented out.
Comment 2 Lubomir Kundrak 2007-02-02 06:10:06 EST
         (__)
         (oo)
  /-------\/
 / |     ||
*  ||----||
   ~~    ~~

See how my cow is with the patch :)
I found the way you apply patches in the SPEC file weird:

Patch0: libjpeg-6b-arm.patch
Patch1: jpeg-c++.patch
Patch2: libjpeg-shared.patch
Patch3: libjpeg-rpath.patch
Patch4: libjpeg-cflags.patch

and then

%patch0 -p1 -b .arm
%patch1 -p1 -b .c++
%patch2 -p1 -b .ppcshared
%patch3 -p1 -b .cflags

Maybe that's okay, but if it is, it's not obvious.
The cflags patch doesn't get applied and files patchef by rpath one
get renamed to .cflags. Ah, and and please clone a bug for RHEL-5 and
eventually older RHELs provided they are affected. Thanks a lot!
Comment 3 Lubomir Kundrak 2007-02-02 06:12:27 EST
- See how my cow is with the patch :)
+ See how *happy* my cow is with the patch :)

Pardon me. It's Friday...
Comment 4 Tom Lane 2007-06-25 23:45:07 EDT
Done in libjpeg-6b-38.  Thanks for the report!
Comment 5 Fedora Update System 2007-06-26 23:51:30 EDT
libjpeg-6b-38.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2007-07-11 11:23:15 EDT
libjpeg-6b-38.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.