global-buffer-overflow in function jfif_encode at jfif.c:708

[cemonatk]

Describe
A global-buffer-overflow was discovered in ffjpeg. The issue is being triggered in function jfif_encode at jfif.c:708.

Found by Cem Onat Karagun of Diesec

System info
OS version : Ubuntu 21.04
ffjpeg Version : master(0fa4cf8a86)

Reproduce

Compile ffjpeg with address sanitizer.

CCFLAGS = -Wall -g -fsanitize=address 

PoC file:
encode_poc1.zip

Run with the following command.

$ ffjpeg -e encode_poc1

Asan output:

=================================================================
==3406031==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000231972 at pc 0x0000002cbc07 bp 0x7ffcef6304f0 sp 0x7ffcef62fcb8
READ of size 272 at 0x000000231972 thread T0
    #0 0x2cbc06 in __asan_memcpy (/REDACTED/ffjpeg/src/ffjpeg+0x2cbc06)
    #1 0x30f33b in jfif_encode /src/src/jfif.c:708:5
    #2 0x3029f2 in main /src/src/ffjpeg.c:30:16
    #3 0x7fdfb0d3b564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #4 0x2515fd in _start (/REDACTED/ffjpeg/src/ffjpeg+0x2515fd)

0x000000231972 is located 46 bytes to the left of global variable 'STD_HUFTAB_LUMIN_DC' defined in 'huffman.c:398:12' (0x2319a0) of size 28
0x000000231972 is located 0 bytes to the right of global variable 'STD_HUFTAB_LUMIN_AC' defined in 'huffman.c:382:12' (0x2318c0) of size 178
SUMMARY: AddressSanitizer: global-buffer-overflow (/REDACTED/ffjpeg/src/ffjpeg+0x2cbc06) in __asan_memcpy
Shadow bytes around the buggy address:
  0x00008003e2d0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x00008003e2e0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 01 f9 f9
  0x00008003e2f0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 00 00
  0x00008003e300: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
  0x00008003e310: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008003e320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]f9
  0x00008003e330: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x00008003e340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008003e350: 00 00 02 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
  0x00008003e360: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008003e370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3406031==ABORTING

memcpy(jfif->phcac[0]->huftab, STD_HUFTAB_LUMIN_AC, MAX_HUFFMAN_CODE_LEN + 256);

[albertofwb]

I reproduced your situation on my ubuntu 20.04 machine.

albert @ albert-TM1701 in ~/GitRepos/c/ffjpeg on git:0fa4cf8 x [3:17:07]
$ ./src/ffjpeg -e encode_poc1
=================================================================
==263835==ERROR: AddressSanitizer: requested allocation size 0xeb06213d11f6dbc0 (0xeb06213d11f6ebc0 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x7fb35c91dbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5620722fbbf4 in bmp_load /home/albert/GitRepos/c/ffjpeg/src/bmp.c:48
#2 0x5620722fb733 in main (/home/albert/GitRepos/c/ffjpeg/src/ffjpeg+0x2733)
#3 0x7fb35c6450b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

==263835==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) in malloc
==263835==ABORTING

downlowded and extracted encode_poc1 the file command shows it is a jpeg file.
After ln -s encode_poc1 encode_poc1.jpg xdg-open can not load the image and "Eye of MATE 1.24.0" shows

Error interpreting JPEGimage File (Unsupported marker type 0x30)

I guess your poc file is not encode with jpeg correctly.

[rockcarry]

I reproduced your situation on my ubuntu 20.04 machine.

albert @ albert-TM1701 in ~/GitRepos/c/ffjpeg on git:0fa4cf8 x [3:17:07]
$ ./src/ffjpeg -e encode_poc1

==263835==ERROR: AddressSanitizer: requested allocation size 0xeb06213d11f6dbc0 (0xeb06213d11f6ebc0 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x7fb35c91dbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5620722fbbf4 in bmp_load /home/albert/GitRepos/c/ffjpeg/src/bmp.c:48
#2 0x5620722fb733 in main (/home/albert/GitRepos/c/ffjpeg/src/ffjpeg+0x2733)
#3 0x7fb35c6450b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

==263835==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) in malloc
==263835==ABORTING

downlowded and extracted encode_poc1 the file command shows it is a jpeg file.
After ln -s encode_poc1 encode_poc1.jpg xdg-open can not load the image and "Eye of MATE 1.24.0" shows

Error interpreting JPEGimage File (Unsupported marker type 0x30)

I guess your poc file is not encode with jpeg correctly.

It's not his poc file's problem.
He is using some test case poc files to test and find if there are some bug in ffjpeg.
so we need fix the issue no matter what the poc file is.

[cemonatk]

Hello, yes @rockcarry is right. Is there any updates on this one and the issue #43 ?

[Marsman1996]

The reproduce command should be ASAN_OPTIONS="allocator_may_return_null=1" ./src/ffjpeg -e encode_poc1
otherwise we will get the allocation-size-too-big error.

This issue is same as the #25 (assigned with CVE-2020-23705), they are both caused by the oversized memcpy.
(i.e. the length of STD_HUFTAB_LUMIN_AC is 178, and the length of STD_HUFTAB_LUMIN_DC is 28, but ffjpeg copies 272 from them).

And I create a PR #45 to fix them.