Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in function put_pixel_rows in wrbmp.c:145 #305

Closed
cool-tomato opened this issue Nov 27, 2018 · 3 comments
Closed

heap-buffer-overflow in function put_pixel_rows in wrbmp.c:145 #305

cool-tomato opened this issue Nov 27, 2018 · 3 comments

Comments

@cool-tomato
Copy link

fish@ubuntu:~/Desktop/2018-10-10/image/libjpeg-turbo-2.0.1$ ./afl/afl/bin/djpeg -colors 256 -bmp heap-buffer-overflow-2
Corrupt JPEG data: 117 extraneous bytes before marker 0xdb
=================================================================
==79144==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100000000f7 at pc 0x558ce02a8b5d bp 0x7fffde75e590 sp 0x7fffde75e580
READ of size 1 at 0x6100000000f7 thread T0
    #0 0x558ce02a8b5c in put_pixel_rows /home/fish/Desktop/2018-10-10/image/libjpeg-turbo-2.0.1/wrbmp.c:145
    #1 0x558ce028f197 in main /home/fish/Desktop/2018-10-10/image/libjpeg-turbo-2.0.1/djpeg.c:762
    #2 0x7f0a3d9fcb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #3 0x558ce0290659 in _start (/home/fish/Desktop/2018-10-10/image/libjpeg-turbo-2.0.1/afl/afl/bin/djpeg+0x8659)

0x6100000000f7 is located 0 bytes to the right of 183-byte region [0x610000000040,0x6100000000f7)
allocated by thread T0 here:
    #0 0x7f0a3e141b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f0a3de0ef68 in alloc_large /home/fish/Desktop/2018-10-10/image/libjpeg-turbo-2.0.1/jmemmgr.c:391
    #2 0x7f0a3de0ef68 in alloc_sarray /home/fish/Desktop/2018-10-10/image/libjpeg-turbo-2.0.1/jmemmgr.c:475

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fish/Desktop/2018-10-10/image/libjpeg-turbo-2.0.1/wrbmp.c:145 in put_pixel_rows
Shadow bytes around the buggy address:
  0x0c207fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa
  0x0c207fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==79144==ABORTING

heap-buffer-overflow-2

@kirotawa
Copy link

This issue has CVE-2018-19664 number assigned.

@pgajdos
Copy link

pgajdos commented Dec 3, 2018

Do not need to use ASAN, valgrind suffices.

$ valgrind -q djpeg -colors 256 -bmp testcase.jpg
Corrupt JPEG data: 117 extraneous bytes before marker 0xdb
==790== Invalid read of size 1
==790==    at 0x10DBB8: cmyk_to_rgb (cmyk.h:55)
==790==    by 0x10DBB8: put_pixel_rows (wrbmp.c:146)
==790==    by 0x10A941: main (djpeg.c:762)
==790==  Address 0x4deed77 is 0 bytes after a block of size 183 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4083916: alloc_large (jmemmgr.c:391)
==790==    by 0x4083916: alloc_sarray (jmemmgr.c:475)
==790==    by 0x10E62D: jinit_write_bmp (wrbmp.c:554)
==790==    by 0x10A845: main (djpeg.c:646)
==790== 
==790== Invalid read of size 1
==790==    at 0x10DB98: put_pixel_rows (wrbmp.c:145)
==790==    by 0x10A941: main (djpeg.c:762)
==790==  Address 0x4deed78 is 1 bytes after a block of size 183 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4083916: alloc_large (jmemmgr.c:391)
==790==    by 0x4083916: alloc_sarray (jmemmgr.c:475)
==790==    by 0x10E62D: jinit_write_bmp (wrbmp.c:554)
==790==    by 0x10A845: main (djpeg.c:646)
==790== 
==790== Invalid read of size 1
==790==    at 0x10DB9C: put_pixel_rows (wrbmp.c:145)
==790==    by 0x10A941: main (djpeg.c:762)
==790==  Address 0x4deed79 is 2 bytes after a block of size 183 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4083916: alloc_large (jmemmgr.c:391)
==790==    by 0x4083916: alloc_sarray (jmemmgr.c:475)
==790==    by 0x10E62D: jinit_write_bmp (wrbmp.c:554)
==790==    by 0x10A845: main (djpeg.c:646)
==790== 
==790== Invalid read of size 1
==790==    at 0x10DBA8: put_pixel_rows (wrbmp.c:145)
==790==    by 0x10A941: main (djpeg.c:762)
==790==  Address 0x4deed7a is 3 bytes after a block of size 183 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4083916: alloc_large (jmemmgr.c:391)
==790==    by 0x4083916: alloc_sarray (jmemmgr.c:475)
==790==    by 0x10E62D: jinit_write_bmp (wrbmp.c:554)
==790==    by 0x10A845: main (djpeg.c:646)
==790== 
==790== Invalid write of size 1
==790==    at 0x10DBEC: cmyk_to_rgb (cmyk.h:55)
==790==    by 0x10DBEC: put_pixel_rows (wrbmp.c:146)
==790==    by 0x10A941: main (djpeg.c:762)
==790==  Address 0x4df5099 is 2 bytes after a block of size 12,855 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4083916: alloc_large (jmemmgr.c:391)
==790==    by 0x4083916: alloc_sarray (jmemmgr.c:475)
==790==    by 0x4083BF7: realize_virt_arrays (jmemmgr.c:717)
==790==    by 0x407350C: master_selection (jdmaster.c:573)
==790==    by 0x407350C: jinit_master_decompress (jdmaster.c:736)
==790==    by 0x406316C: jpeg_start_decompress (jdapistd.c:47)
==790==    by 0x10A668: main (djpeg.c:679)
==790== 
==790== Invalid write of size 1
==790==    at 0x10DC00: cmyk_to_rgb (cmyk.h:57)
==790==    by 0x10DC00: put_pixel_rows (wrbmp.c:146)
==790==    by 0x10A941: main (djpeg.c:762)
==790==  Address 0x4df5097 is 0 bytes after a block of size 12,855 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4083916: alloc_large (jmemmgr.c:391)
==790==    by 0x4083916: alloc_sarray (jmemmgr.c:475)
==790==    by 0x4083BF7: realize_virt_arrays (jmemmgr.c:717)
==790==    by 0x407350C: master_selection (jdmaster.c:573)
==790==    by 0x407350C: jinit_master_decompress (jdmaster.c:736)
==790==    by 0x406316C: jpeg_start_decompress (jdapistd.c:47)
==790==    by 0x10A668: main (djpeg.c:679)
==790== 
==790== Invalid write of size 1
==790==    at 0x10DC0B: cmyk_to_rgb (cmyk.h:56)
==790==    by 0x10DC0B: put_pixel_rows (wrbmp.c:146)
==790==    by 0x10A941: main (djpeg.c:762)
==790==  Address 0x4df5098 is 1 bytes after a block of size 12,855 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4083916: alloc_large (jmemmgr.c:391)
==790==    by 0x4083916: alloc_sarray (jmemmgr.c:475)
==790==    by 0x4083BF7: realize_virt_arrays (jmemmgr.c:717)
==790==    by 0x407350C: master_selection (jdmaster.c:573)
==790==    by 0x407350C: jinit_master_decompress (jdmaster.c:736)
==790==    by 0x406316C: jpeg_start_decompress (jdapistd.c:47)
==790==    by 0x10A668: main (djpeg.c:679)
==790== 
==790== Syscall param write(buf) points to uninitialised byte(s)
==790==    at 0x4B13DD4: write (in /lib64/libc-2.27.so)
==790==    by 0x4AA462C: _IO_file_write@@GLIBC_2.2.5 (in /lib64/libc-2.27.so)
==790==    by 0x4AA39DE: new_do_write (in /lib64/libc-2.27.so)
==790==    by 0x4AA5778: _IO_do_write@@GLIBC_2.2.5 (in /lib64/libc-2.27.so)
==790==    by 0x4AA5BAE: _IO_file_overflow@@GLIBC_2.2.5 (in /lib64/libc-2.27.so)
==790==    by 0x10E43F: finish_output_bmp (wrbmp.c:465)
==790==    by 0x10A79A: main (djpeg.c:800)
==790==  Address 0x4df6aa1 is 129 bytes inside a block of size 4,096 alloc'd
==790==    at 0x403077F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==790==    by 0x4A98B5B: _IO_file_doallocate (in /lib64/libc-2.27.so)
==790==    by 0x4AA6FCF: _IO_doallocbuf (in /lib64/libc-2.27.so)
==790==    by 0x4AA5BC7: _IO_file_overflow@@GLIBC_2.2.5 (in /lib64/libc-2.27.so)
==790==    by 0x4AA4CFE: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib64/libc-2.27.so)
==790==    by 0x4A99F27: fwrite (in /lib64/libc-2.27.so)
==790==    by 0x10E29A: write_bmp_header (wrbmp.c:286)
==790==    by 0x10E3BB: finish_output_bmp (wrbmp.c:451)
==790==    by 0x10A79A: main (djpeg.c:800)
==790== 
$

@pgajdos
Copy link

pgajdos commented Dec 3, 2018

I do not get it with 1.5.3.

dcommander added a commit that referenced this issue Jun 3, 2020
If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will
set cinfo->output_components to 1, and if cinfo->out_color_space is not
RGB (or extended RGB), hilarity will ensue.

Fixes #305
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants