Closed
Description
Hi jhead Team
I found an overflow error.
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
jhead version 3.06 commit be7e43c
file:
jhead_poc.zip
Verification steps:
1.Get the source code of jhead
Edit file makefile
OBJ=obj
SRC=.
CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -fsanitize=address
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -fsanitize=address
2.Compile the jhead
$ make
3.run jhead
$ ./jhead -autorot jhead_poc
asan info
onfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 23000004
Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal value pointer for tag 9204 in Exif
Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegally sized Exif makernote subdir (44288 entries)
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 30003
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 4a003
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 5a20e
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 5a28d
Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 512 for tag 0438 in Exif
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 10003
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 10007
Nonfatal Error : 'out_jpgs/default/crashes/poc' Extraneous 593 padding bytes before section E1
Nonfatal Error : 'out_jpgs/default/crashes/poc' Undefined rotation value 65281 in Exif
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 464946
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 11e1ff00
Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 2a004d
Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 15 for tag 010a in Exif
Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 16 for tag 0186 in Exif
Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 18 for tag 0198 in Exif
Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal subdirectory link in Exif header
Nonfatal Error : 'out_jpgs/default/crashes/poc' Extraneous 10 padding bytes before section DD
=================================================================
==409516==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000006b2 at pc 0x00000031c8b8 bp 0x7ffc86175450 sp 0x7ffc86175448
WRITE of size 1 at 0x61a0000006b2 thread T0
#0 0x31c8b7 in Put16u exif.c
#1 0x31c8b7 in ClearOrientation exif.c:1248:17
#2 0x31c8b7 in DoAutoRotate jhead.c:729:20
#3 0x31c8b7 in ProcessFile jhead.c:879:17
#4 0x31c8b7 in main jhead.c:1770:13
#5 0x7f84881c90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x260eed in _start (/home/hh/Downloads/jhead/jhead+0x260eed)
0x61a0000006b2 is located 50 bytes inside of 1164-byte region [0x61a000000680,0x61a000000b0c)
freed by thread T0 here:
#0 0x2dca72 in free /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
#1 0x3237f4 in DiscardAllButExif jpgfile.c:540:13
previously allocated by thread T0 here:
#0 0x2dccdd in malloc /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x320538 in ReadJpegSections jpgfile.c:175:25
#2 0x32256b in ReadJpegFile jpgfile.c:381:11
SUMMARY: AddressSanitizer: heap-use-after-free exif.c in Put16u
Shadow bytes around the buggy address:
0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff80a0: 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c347fff80d0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c347fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c347fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c347fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c347fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c347fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==409516==ABORTING
Thanks
Metadata
Metadata
Assignees
Labels
No labels