$ gcc -g -o main main.c ok_jpg.h
$ ./main heap-buffer-overflow-1.jpg
Result
Got image! Size: 0 x 0
Although the results of the running are correct, when I used our vulnerability detection tool to detect, I found that a heap buffer overflow occurred in line 403. Looking Description for a detailed description.
Description
When I used gdb for debugging with the following command:
(gdb) b 1989
(gdb) p decoder
$1 = (ok_jpg_decoder *) 0x55555575e490
(gdb) p sizeof(ok_jpg_decoder)
$2 = 52376
Obtaining the start address and size of the decoder with the help of the above command,which explaining that the valid address range of the decoder is in [0x55555575e490,0x55555576b128].
(gdb) b 403
(gdb) p &huff->code[j - 1]
$2 = (uint16_t *) 0x55555576b2d2
It can be analyzed from the code context that huff points to decoder,and the address 0x55555576b2d2 which is accessed by huff is not in the valid range of [0x55555575e490,0x55555576b128]. So heap buffer overflow occurs in function ok_jpg_generate_huffman_table() at ok_jpg.c:403.
Note: You can use ASAN for more direct verification.
Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Environment
Ubuntu 18.04, 64bit
Testcase
Command
Result
Although the results of the running are correct, when I used our vulnerability detection tool to detect, I found that a heap buffer overflow occurred in line 403. Looking Description for a detailed description.
Description
When I used gdb for debugging with the following command:
Obtaining the start address and size of the decoder with the help of the above command,which explaining that the valid address range of the decoder is in [0x55555575e490,0x55555576b128].
It can be analyzed from the code context that huff points to decoder,and the address 0x55555576b2d2 which is accessed by huff is not in the valid range of [0x55555575e490,0x55555576b128]. So heap buffer overflow occurs in function ok_jpg_generate_huffman_table() at ok_jpg.c:403.
Note: You can use ASAN for more direct verification.
Poc
Poc file is this.
The text was updated successfully, but these errors were encountered: