Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in function ok_jpg_generate_huffman_table() at ok_jpg.c:403 #11

Closed
ConcoctionSec opened this issue Mar 5, 2021 · 1 comment

Comments

@ConcoctionSec
Copy link

ConcoctionSec commented Mar 5, 2021

Version

dev version, git clone https://github.com/brackeen/ok-file-formats.git

Environment

Ubuntu 18.04, 64bit

Testcase

#include <stdio.h>
#include <stdlib.h>
#include "ok_jpg.h"
#include "ok_jpg.c"
 
int main(int _argc, char **_argv) {
    FILE *file = fopen("_argv[1]", "rb");
    ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA);
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

Command

$ gcc -g -o main main.c ok_jpg.h
$ ./main heap-buffer-overflow-1.jpg

Result

Got image! Size: 0 x 0

Although the results of the running are correct, when I used our vulnerability detection tool to detect, I found that a heap buffer overflow occurred in line 403. Looking Description for a detailed description.

Description

When I used gdb for debugging with the following command:

(gdb) b 1989
(gdb) p decoder
$1 = (ok_jpg_decoder *) 0x55555575e490
(gdb) p sizeof(ok_jpg_decoder)
$2 = 52376

Obtaining the start address and size of the decoder with the help of the above command,which explaining that the valid address range of the decoder is in [0x55555575e490,0x55555576b128].

(gdb) b 403
(gdb) p &huff->code[j - 1]
$2 = (uint16_t *) 0x55555576b2d2

It can be analyzed from the code context that huff points to decoder,and the address 0x55555576b2d2 which is accessed by huff is not in the valid range of [0x55555575e490,0x55555576b128]. So heap buffer overflow occurs in function ok_jpg_generate_huffman_table() at ok_jpg.c:403.

Note: You can use ASAN for more direct verification.

Poc

Poc file is this.

brackeen added a commit that referenced this issue Mar 6, 2021
@brackeen
Copy link
Owner

brackeen commented Mar 6, 2021

Thanks for the report, @NISL-SecurityGroup. This is now fixed.

@brackeen brackeen closed this as completed Mar 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants