This service will be undergoing non-disruptive maintenance at 07:20 UTC, 2018-12-14. It is expected to last approximately 30 minutes
Bug 226965 - Buffer overflow in libjpeg's wrjpgcom
Summary: Buffer overflow in libjpeg's wrjpgcom
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libjpeg (Show other bugs)
(Show other bugs)
Version: 6
Hardware: All All
low
low
Target Milestone: ---
Assignee: Tom Lane
QA Contact:
URL: http://www.missoulian.com/specials/be...
Whiteboard: impact=none
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-02 11:00 UTC by Lubomir Kundrak
Modified: 2013-07-03 03:12 UTC (History)
1 user (show)

Fixed In Version: 6b-38.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-11 15:23:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Path that fixes buffer overlow in libjpeg's wrjpgcom during excessive mooes (846 bytes, patch)
2007-02-02 11:05 UTC, Lubomir Kundrak
no flags Details | Diff

Description Lubomir Kundrak 2007-02-02 11:00:23 UTC
Description of problem:

I tried to add a comment to quote how much my cow mooes to its picture.
Unforunately that was too big for wrjpgcom's buffer.

$ wrjpgcom -comment $(perl -e 'print "\"m",('o' x 70000),"\""') cow.jpeg
>moocow.jpeg
*** buffer overflow detected ***: wrjpgcom terminated

The problem is, that when I quote pass "moo...o" quoted, the following code
gets executed:

449       /* If the comment text starts with '"', then we are probably running
450        * under MS-DOG and must parse out the quoted string ourselves.  Sigh.
451        */
452       if (comment_arg[0] == '"') {
453         comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH);
454         if (comment_arg == NULL)
455           ERREXIT("Insufficient memory");
456         strcpy(comment_arg, argv[argn]+1);
457         for (;;) {
458           comment_length = (unsigned int) strlen(comment_arg);
459           if (comment_length > 0 && comment_arg[comment_length-1] == '"') {
460             comment_arg[comment_length-1] = '\0'; /* zap terminating quote */
461             break;
462           }
463           if (++argn >= argc)
464             ERREXIT("Missing ending quote mark");
465           strcat(comment_arg, " ");
466           strcat(comment_arg, argv[argn]);
467         }
468       }

as comment_argument is allocated at 453 as statically sized buffer, it might
be overflowed on line 456 with strcpy. In case my operating system limited
the size of the command line argument, fine I can overflow it with following
arguments on lines 465 and 466.

I'd be glad to have a quotation of my cow stored with quotes, so I assume
the best way would be to remove that MS-DOS specific code.

Version-Release number of selected component (if applicable):

At least RHEL-5 and FC-6.

How reproducible:

Always.

Steps to Reproduce:

See the command in the description.

Actual results:

In FORTIFY_SOURCE compiled releases this gets caught by libc.
Otherwise it causes a memory corruption and will likely result in
receiving a SIGSEGV signal.

Expected results:

Tell the world how my cow moooooooes :(

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.

Comment 1 Lubomir Kundrak 2007-02-02 11:05:04 UTC
Created attachment 147210 [details]
Path that fixes buffer overlow in libjpeg's wrjpgcom during excessive mooes

I propose that the evil code just gets commented out.

Comment 2 Lubomir Kundrak 2007-02-02 11:10:06 UTC
         (__)
         (oo)
  /-------\/
 / |     ||
*  ||----||
   ~~    ~~

See how my cow is with the patch :)
I found the way you apply patches in the SPEC file weird:

Patch0: libjpeg-6b-arm.patch
Patch1: jpeg-c++.patch
Patch2: libjpeg-shared.patch
Patch3: libjpeg-rpath.patch
Patch4: libjpeg-cflags.patch

and then

%patch0 -p1 -b .arm
%patch1 -p1 -b .c++
%patch2 -p1 -b .ppcshared
%patch3 -p1 -b .cflags

Maybe that's okay, but if it is, it's not obvious.
The cflags patch doesn't get applied and files patchef by rpath one
get renamed to .cflags. Ah, and and please clone a bug for RHEL-5 and
eventually older RHELs provided they are affected. Thanks a lot!

Comment 3 Lubomir Kundrak 2007-02-02 11:12:27 UTC
- See how my cow is with the patch :)
+ See how *happy* my cow is with the patch :)

Pardon me. It's Friday...

Comment 4 Tom Lane 2007-06-26 03:45:07 UTC
Done in libjpeg-6b-38.  Thanks for the report!

Comment 5 Fedora Update System 2007-06-27 03:51:30 UTC
libjpeg-6b-38.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2007-07-11 15:23:15 UTC
libjpeg-6b-38.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.