jhead: heap-buffer-overflow at exif.c:401 in PrintFormatNumber

[Bahgirl]

summary

An segmentation fault caused when using jhead.
AddressSanitizer reports it as heap-buffer-overflow

version

./jhead -V
Jhead version: 3.08

OS and Arch

Ubuntu 20.04.1 LTS

AddressSanitizer report:

==2483510==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000128 at pc 0x561988eb2854 bp 0x7ffec714dd40 sp 0x7ffec714dd30
READ of size 8 at 0x611000000128 thread T0
    #0 0x561988eb2853 in PrintFormatNumber /home/jhead/exif.c:401
    #1 0x561988ed449f in ProcessGpsInfo /home/jhead/gpsinfo.c:215
    #2 0x561988ebe6c1 in ProcessExifDir /home/jhead/exif.c:884
    #3 0x561988ebd9a6 in ProcessExifDir /home/jhead/exif.c:870
    #4 0x561988ebd9a6 in ProcessExifDir /home/jhead/exif.c:870
    #5 0x561988ebd9a6 in ProcessExifDir /home/jhead/exif.c:870
    #6 0x561988ebd9a6 in ProcessExifDir /home/jhead/exif.c:870
    #7 0x561988ec0c6b in process_EXIF /home/jhead/exif.c:1063
    #8 0x561988ea1726 in ReadJpegSections /home/jhead/jpgfile.c:290
    #9 0x561988ea1726 in ReadJpegSections /home/jhead/jpgfile.c:118
    #10 0x561988ea2cc4 in ReadJpegFile /home/jhead/jpgfile.c:385
    #11 0x561988e90c57 in ProcessFile /home/jhead/jhead.c:895
    #12 0x561988e85110 in main /home/jhead/jhead.c:1805
    #13 0x7f0e4215e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #14 0x561988e8a16d in _start (/home/chenying/fuzz_target/jhead/jhead+0x1616d)

0x61100000012e is located 0 bytes to the right of 238-byte region [0x611000000040,0x61100000012e)
allocated by thread T0 here:
    #0 0x7f0e42588808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x561988e9f393 in ReadJpegSections /home/jhead/jpgfile.c:175
    #2 0x561988e9f393 in ReadJpegSections /home/jhead/jpgfile.c:118

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jhead/exif.c:401 in PrintFormatNumber
Shadow bytes around the buggy address:
  0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8020: 00 00 00 00 00[06]fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2483510==ABORTING

POC

poc.zip

[Pastea]

Could you share the command that you used to launch jhead and trigger the bug?

[carnil]

CVE-2024-2824 was assigned for this issue AFAICS.

[pgajdos]

@Bahgirl, I could not reproduce, what is the command you are using, please?

[Bahgirl]

@Bahgirl, I could not reproduce, what is the command you are using, please?

Certainly! Please try the following command
./jhead -de -di -purejpg -cs /dev/null -ci /dev/null -cl string -zt -dsft -autorot -norot -cr -ca -ar -v poc

[pgajdos]

Thanks @Bahgirl