Skip to content

integer-overflow cause heap-buffer-overflow in tjLoadImage #304

Closed
@Vector1iu

Description

@Vector1iu

➜ build git:(master) ✗ ./tjbench ~/Pictures/bmp/LAND3.BMP 90

[1] 17576 segmentation fault (core dumped) ./tjbench ~/Pictures/bmp/LAND3.BMP 90


the reason of "segmentation fault " is has no check on "pitch * (*height)" in tjLoadImage, it can be integer overflow, here is gdb print:

(gdb) p pitch * (*height)
$21 = 768
(gdb) p pitch
$22 = 50331651
(gdb) p (*height)
$23 = 256


DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
int align, int *height, int *pixelFormat,
int flags)
...
if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
_throwg("tjLoadImage(): Memory allocation failure");
....


the crash happen in memcpy due to heap overflow


DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
int align, int *height, int *pixelFormat,
int flags)
...
memcpy(dstptr, src->buffer[i], (*width) * tjPixelSize[*pixelFormat]);
...


you need unzip LAND3.zip to get LAND3.BMP, because github doesn't support upload .bmp file

LAND3.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions