Description of problem: I tried to add a comment to quote how much my cow mooes to its picture. Unforunately that was too big for wrjpgcom's buffer. $ wrjpgcom -comment $(perl -e 'print "\"m",('o' x 70000),"\""') cow.jpeg >moocow.jpeg *** buffer overflow detected ***: wrjpgcom terminated The problem is, that when I quote pass "moo...o" quoted, the following code gets executed: 449 /* If the comment text starts with '"', then we are probably running 450 * under MS-DOG and must parse out the quoted string ourselves. Sigh. 451 */ 452 if (comment_arg[0] == '"') { 453 comment_arg = (char *) malloc((size_t) MAX_COM_LENGTH); 454 if (comment_arg == NULL) 455 ERREXIT("Insufficient memory"); 456 strcpy(comment_arg, argv[argn]+1); 457 for (;;) { 458 comment_length = (unsigned int) strlen(comment_arg); 459 if (comment_length > 0 && comment_arg[comment_length-1] == '"') { 460 comment_arg[comment_length-1] = '\0'; /* zap terminating quote */ 461 break; 462 } 463 if (++argn >= argc) 464 ERREXIT("Missing ending quote mark"); 465 strcat(comment_arg, " "); 466 strcat(comment_arg, argv[argn]); 467 } 468 } as comment_argument is allocated at 453 as statically sized buffer, it might be overflowed on line 456 with strcpy. In case my operating system limited the size of the command line argument, fine I can overflow it with following arguments on lines 465 and 466. I'd be glad to have a quotation of my cow stored with quotes, so I assume the best way would be to remove that MS-DOS specific code. Version-Release number of selected component (if applicable): At least RHEL-5 and FC-6. How reproducible: Always. Steps to Reproduce: See the command in the description. Actual results: In FORTIFY_SOURCE compiled releases this gets caught by libc. Otherwise it causes a memory corruption and will likely result in receiving a SIGSEGV signal. Expected results: Tell the world how my cow moooooooes :( Additional info: This has no security implications, as is would need a victim to voluntarily interact with the attack mechanism and all he would get would be to execute commands as himself.
Created attachment 147210 [details] Path that fixes buffer overlow in libjpeg's wrjpgcom during excessive mooes I propose that the evil code just gets commented out.
(__) (oo) /-------\/ / | || * ||----|| ~~ ~~ See how my cow is with the patch :) I found the way you apply patches in the SPEC file weird: Patch0: libjpeg-6b-arm.patch Patch1: jpeg-c++.patch Patch2: libjpeg-shared.patch Patch3: libjpeg-rpath.patch Patch4: libjpeg-cflags.patch and then %patch0 -p1 -b .arm %patch1 -p1 -b .c++ %patch2 -p1 -b .ppcshared %patch3 -p1 -b .cflags Maybe that's okay, but if it is, it's not obvious. The cflags patch doesn't get applied and files patchef by rpath one get renamed to .cflags. Ah, and and please clone a bug for RHEL-5 and eventually older RHELs provided they are affected. Thanks a lot!
- See how my cow is with the patch :) + See how *happy* my cow is with the patch :) Pardon me. It's Friday...
Done in libjpeg-6b-38. Thanks for the report!
libjpeg-6b-38.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
libjpeg-6b-38.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.