Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ Security] heap-buffer-overflow of exif.c in function Put16u #36

Closed
NigelX opened this issue May 20, 2021 · 1 comment
Closed

[ Security] heap-buffer-overflow of exif.c in function Put16u #36

NigelX opened this issue May 20, 2021 · 1 comment

Comments

@NigelX
Copy link

NigelX commented May 20, 2021
edited

Hi jhead Team
I found an overflow error.

System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1

jhead version 3.06 commit be7e43c

file:
jhead_poc.zip

Verification steps:
1.Get the source code of jhead

Edit file makefile

OBJ=obj
SRC=.
CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -fsanitize=address
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -fsanitize=address

2.Compile the jhead

$ make

3.run jhead

$ ./jhead -autorot jhead_poc

asan info

onfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 23000004

Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal value pointer for tag 9204 in Exif

Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegally sized Exif makernote subdir (44288 entries)

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 30003

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 4a003

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 5a20e

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 5a28d

Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 512 for tag 0438 in Exif

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 10003

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 10007

Nonfatal Error : 'out_jpgs/default/crashes/poc' Extraneous 593 padding bytes before section E1

Nonfatal Error : 'out_jpgs/default/crashes/poc' Undefined rotation value 65281 in Exif

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 464946

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 11e1ff00

Nonfatal Error : 'out_jpgs/default/crashes/poc' Bad components count 2a004d

Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 15 for tag 010a in Exif

Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 16 for tag 0186 in Exif

Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal number format 18 for tag 0198 in Exif

Nonfatal Error : 'out_jpgs/default/crashes/poc' Illegal subdirectory link in Exif header

Nonfatal Error : 'out_jpgs/default/crashes/poc' Extraneous 10 padding bytes before section DD
=================================================================
==409516==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000006b2 at pc 0x00000031c8b8 bp 0x7ffc86175450 sp 0x7ffc86175448
WRITE of size 1 at 0x61a0000006b2 thread T0
    #0 0x31c8b7 in Put16u exif.c
    #1 0x31c8b7 in ClearOrientation exif.c:1248:17
    #2 0x31c8b7 in DoAutoRotate jhead.c:729:20
    #3 0x31c8b7 in ProcessFile jhead.c:879:17
    #4 0x31c8b7 in main jhead.c:1770:13
    #5 0x7f84881c90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x260eed in _start (/home/hh/Downloads/jhead/jhead+0x260eed)

0x61a0000006b2 is located 50 bytes inside of 1164-byte region [0x61a000000680,0x61a000000b0c)
freed by thread T0 here:
    #0 0x2dca72 in free /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x3237f4 in DiscardAllButExif jpgfile.c:540:13

previously allocated by thread T0 here:
    #0 0x2dccdd in malloc /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x320538 in ReadJpegSections jpgfile.c:175:25
    #2 0x32256b in ReadJpegFile jpgfile.c:381:11

SUMMARY: AddressSanitizer: heap-use-after-free exif.c in Put16u
Shadow bytes around the buggy address:
  0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff80a0: 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c347fff80d0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c347fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==409516==ABORTING

Thanks
@Matthias-Wandel
Copy link
Owner

Fixed by f0a8842

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NigelX @Matthias-Wandel