Error heap-use-after-free jbig2enc.cc:505 jbig2_add_page(jbig2ctx*, Pix*)

[EnchantedJohn]

Hello,I use my company tools. I found jbig a crash.it is heap-use-after-free jbig2enc.cc:505 jbig2_add_page(jbig2ctx*, Pix*).I think it is due to vector::push_back() when jbig2_add_page() want to obtain the wdith of photo.

[EnchantedJohn]

I want to show the error information about it.

Processing "/home/lx/DIVE/Trunk/bin/hfl/output/273E61156F59697C7F192C3D6B287D1E54CB82/hfl-crash-1-{rva_0x129AA5}{code_0xB}{access_0x7fe898453014}{liblept.so.5}heapoverflow[returnaddr=liblept.so.5.0x1298DF, addr=0x00007fe89844ffc0,0x40]"...
Corrupt JPEG data: 1760 extraneous bytes before marker 0xd2
Warning in pixReadStreamJpeg: 7 warning(s) of bad data
source image: 496 x 631 (32 bits) 100dpi x 100dpi, refcount = 1
thresholded image: 496 x 631 (1 bits) 100dpi x 100dpi, refcount = 1
mask image:  496 x 624 (1 bits) 112dpi x 112dpi, refcount = 1
pixel count of graphics image: 248048
pixel count of binary image: 60
binary mask image: 496 x 624 (32 bits) 112dpi x 112dpi, refcount = 1
graphics image: 496 x 631 (32 bits) 100dpi x 100dpi, refcount = 2
segmented binary text image: NULL pointer!
segmented graphics image: 496 x 624 (32 bits) 112dpi x 112dpi, refcount = 1
graphics image: 496 x 624 (32 bits) 112dpi x 112dpi, refcount = 1
Error in pixCreateHeader: requested w = 1518338049, h = 631, d = 1
Error in pixCreateHeader: requested bytes >= 2^31
Error in pixCreateNoInit: pixd not made
Error in pixCreateTemplateNoInit: pixd not made
Error in pixCreateTemplate: pixd not made
Error in pixCopy: pixd not made
Error in pixCreateHeader: requested w = 1518338049, h = 631, d = 1
Error in pixCreateHeader: requested bytes >= 2^31
Error in pixCreateNoInit: pixd not made
Error in pixCreateTemplateNoInit: pixd not made
Error in pixCreateTemplate: pixd not made
Error in pixCopy: pixd not made
Error in pixConnCompPixa: pix1 or pix2 not made
Error in pixaSelectBySize: pixas not defined
Error in boxaSelectBySize: boxas not defined
=================================================================
==143166==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000ef00 at pc 0x410fee bp 0x7fff69d44eb0 sp 0x7fff69d44ea8
READ of size 4 at 0x60600000ef00 thread T0
    #0 0x410fed in jbig2_add_page(jbig2ctx*, Pix*) /home/lx/5_17/JBIG2/ASAN/jbig2enc-master/src/jbig2enc.cc:505
    #1 0x404163 in main /home/lx/5_17/JBIG2/ASAN/jbig2enc-master/src/jbig2.cc:472
    #2 0x7f7c58697f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #3 0x4072dc (/home/lx/5_17/JBIG2/ASAN/jbig2/bin/jbig2+0x4072dc)

0x60600000ef00 is located 0 bytes inside of 64-byte region [0x60600000ef00,0x60600000ef40)
freed by thread T0 here:
    #0 0x7f7c59737631 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54631)
    #1 0x7f7c5939944a in pixFree /opt/lxf/leptonica/src/pix1.c:590
    #2 0x7f7c5939944a in pixDestroy /opt/lxf/leptonica/src/pix1.c:558

previously allocated by thread T0 here:
    #0 0x7f7c597379a1 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549a1)
    #1 0x7f7c593988de in pixCreateHeader /opt/lxf/leptonica/src/pix1.c:475

SUMMARY: AddressSanitizer: heap-use-after-free /home/lx/5_17/JBIG2/ASAN/jbig2enc-master/src/jbig2enc.cc:505 jbig2_add_page(jbig2ctx*, Pix*)
Shadow bytes around the buggy address:
  0x0c0c7fff9d90: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff9da0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9db0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9dc0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff9dd0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c7fff9de0:[fd]fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9df0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==143166==ABORTING

[EnchantedJohn]

there is the gdb information about jbig2

(gdb) bt
#0  0x00007ffff6da3c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6da7028 in __GI_abort () at abort.c:89
#2  0x00007ffff6de02a4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6ef2350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff6dec82e in malloc_printerr (ptr=<optimized out>, str=0x7ffff6ef2518 "double free or corruption (fasttop)", action=1) at malloc.c:4998
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3842
#5  0x00007ffff7a90426 in pix_free (ptr=<optimized out>) at pix1.c:246
#6  pixFree (pix=0x62c780) at pix1.c:586
#7  pixDestroy (ppix=0x7fffffffe0d0) at pix1.c:558
#8  0x0000000000402922 in main (argc=<optimized out>, argv=0x7fffffffe228) at jbig2.cc:473

(gdb) x/8i $pc
=> 0x7ffff6da3c37 <__GI_raise+55>:	cmp    $0xfffffffffffff000,%rax
   0x7ffff6da3c3d <__GI_raise+61>:	ja     0x7ffff6da3c5d <__GI_raise+93>
   0x7ffff6da3c3f <__GI_raise+63>:	repz retq 
   0x7ffff6da3c41 <__GI_raise+65>:	nopl   0x0(%rax)
   0x7ffff6da3c48 <__GI_raise+72>:	test   %ecx,%ecx
   0x7ffff6da3c4a <__GI_raise+74>:	jg     0x7ffff6da3c27 <__GI_raise+39>
   0x7ffff6da3c4c <__GI_raise+76>:	mov    %ecx,%eax
   0x7ffff6da3c4e <__GI_raise+78>:	neg    %eax

(gdb) i r
rax            0x0	0
rbx            0x6e	110
rcx            0x7ffff6da3c37	140737334885431
rdx            0x6	6
rsi            0x1b2d5	111317
rdi            0x1b2d5	111317
rbp            0x7fffffffdfa0	0x7fffffffdfa0
rsp            0x7fffffffdc08	0x7fffffffdc08
r8             0x3033386332363030	3473181736328114224
r9             0x6f6974707572726f	8028075837120213615
r10            0x8	8
r11            0x202	514
r12            0x7fffffffddb0	140737488346544
r13            0x7	7
r14            0x6e	110
r15            0x7	7
rip            0x7ffff6da3c37	0x7ffff6da3c37 <__GI_raise+55>
eflags         0x202	[ IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

[carnil]

This issue has been assigned CVE-2018-11230

[carnil]

@EnchantedJohn Can you please add the reproducing file?