Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in tjbench.c #388

Closed
hannob opened this issue Nov 12, 2019 · 8 comments
Closed

Integer overflow in tjbench.c #388

hannob opened this issue Nov 12, 2019 · 8 comments
Assignees
Labels

Comments

@hannob
Copy link

@hannob hannob commented Nov 12, 2019

I was looking at #361 and I think the fix is incomplete (however only affecting tjbench, not the library itself).

If I take the reproducer from the opensuse bugreport (see https://bugzilla.suse.com/show_bug.cgi?id=1156402 ) which can be downloaded here:
https://bugzilla.suse.com/attachment.cgi?id=823816
I still get an integer overflow with ubsan.

I built libjpeg-turbo from the current git code with ubsan with a command line this:

CC=clang CXX=clang++ LD=clang CFLAGS="-fsanitize=undefined" LDFLAGS="-fsanitize=undefined" cmake -DENABLE_SHARED=OFF ..

Running tjbench on the file from above:

$ ./tjbench-static CVE-2019-2201-reproducer-SEGFAULT-26755x26755.jpg

>>>>>  JPEG 4:2:0 --> BGR (Top-down)  <<<<<

Image size: 26755 x 26755
/tmp/libjpeg-turbo/tjbench.c:174:29: runtime error: signed integer overflow: 80265 * 26755 cannot be represented in type 'int'
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==5645==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7fe620a64000 (pc 0x7fe620bd185d bp 0x000000000002 sp 0x7fff4ba0baf8 T5645)
==5645==The signal is caused by a WRITE memory access.
UndefinedBehaviorSanitizer:DEADLYSIGNAL
UndefinedBehaviorSanitizer: nested bug in the same thread, aborting.
@pgajdos

This comment has been minimized.

Copy link

@pgajdos pgajdos commented Nov 12, 2019

There is probably no need to use ubsan. It just segfaults (see comment 17 in that bug).

@pgajdos

This comment has been minimized.

Copy link

@pgajdos pgajdos commented Nov 12, 2019

139		memset(dstbuf, 127, pitch*scaledh);
(gdb) p pitch*scaledh
$4 = -2147477221
(gdb)
@dcommander dcommander added the fixed label Nov 12, 2019
@dcommander

This comment has been minimized.

Copy link
Member

@dcommander dcommander commented Nov 12, 2019

Fix pushed to master

clrpackages pushed a commit to clearlinux-pkgs/libjpeg-turbo-soname8 that referenced this issue Nov 13, 2019
libjpeg-turbo/libjpeg-turbo#388

Minor backport of:
libjpeg-turbo/libjpeg-turbo@c30b1e7
"64-bit tjbench: Fix signed int overflow/segfault that occurred when attempting to decompress
images with more than 715827882 (2048*1024*1024 / 3) pixels."

CVEs fixed in this build:
CVE-2019-2201
clrpackages pushed a commit to clearlinux-pkgs/libjpeg-turbo that referenced this issue Nov 13, 2019
libjpeg-turbo/libjpeg-turbo#388
libjpeg-turbo/libjpeg-turbo@c30b1e7
"64-bit tjbench: Fix signed int overflow/segfault that occurred when attempting to decompress
images with more than 715827882 (2048*1024*1024 / 3) pixels."

CVEs fixed in this build:
CVE-2019-2201
@robertswiecki

This comment has been minimized.

Copy link

@robertswiecki robertswiecki commented Nov 14, 2019

And possiblty one more (in decoding to yuv).

SIGABRT PC 7ffff7c613eb STACK 1a1099b595 CODE -6 ADDR (nil) INSTR mov____0x108(%rsp),%rax
SIGABRT PC 7ffff7c613eb STACK f828bbe59 CODE -6 ADDR (nil) INSTR mov____0x108(%rsp),%rax

$ ./libjpeg-turbo.github/out/tjbench SIGABRT.PC.7ffff7c613eb.STACK.1a1099b595.CODE.-6.ADDR.\(nil\).INSTR.mov____0x108\(%rsp\)\,%rax.jpg -yuv

Testing YUV planar encoding/decoding

>>>>>  JPEG 4:4:4 --> BGR (Top-down)  <<<<<

Image size: 1002 x 891
=================================================================
==437402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006080 at pc 0x000000439687 bp 0x7fffd6341f50 sp 0x7fffd6341710
READ of size 1002 at 0x62b000006080 thread T0
    #0 0x439686 in memcpy (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x439686)
    #1 0x7fbe8f56139b in tjDecompressToYUVPlanes /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1724:11
    #2 0x7fbe8f5625c6 in tjDecompressToYUV2 /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1799:10
    #3 0x4d28f6 in decomp /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:205:15
    #4 0x4cf072 in decompTest /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:712:11
    #5 0x4cb6d0 in main /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:1003:5
    #6 0x7fbe8f08f1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #7 0x42270d in _start (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x42270d)

0x62b000006080 is located 0 bytes to the right of 24192-byte region [0x62b000000200,0x62b000006080)
allocated by thread T0 here:
    #0 0x49a60d in malloc (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x49a60d)
    #1 0x7fbe8f5605b6 in tjDecompressToYUVPlanes /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1665:31
    #2 0x7fbe8f5625c6 in tjDecompressToYUV2 /home/jagger/fuzz/jpeg/libjpeg-turbo.github/turbojpeg.c:1799:10
    #3 0x4d28f6 in decomp /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:205:15
    #4 0x4cf072 in decompTest /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:712:11
    #5 0x4cb6d0 in main /home/jagger/fuzz/jpeg/libjpeg-turbo.github/tjbench.c:1003:5
    #6 0x7fbe8f08f1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/jagger/fuzz/jpeg/libjpeg-turbo.github/out/tjbench+0x439686) in memcpy
Shadow bytes around the buggy address:
  0x0c567fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==437402==ABORTING
@pgajdos

This comment has been minimized.

Copy link

@pgajdos pgajdos commented Nov 14, 2019

Please:

  1. file a new issue
  2. do not include plain POC (e. g. compress it)
@dcommander

This comment has been minimized.

Copy link
Member

@dcommander dcommander commented Nov 14, 2019

@robertswiecki I just checked in a YUV decoding fix, so try again against the latest code in Git master and file a new issue if the bug is still reproducible.

@dcommander

This comment has been minimized.

Copy link
Member

@dcommander dcommander commented Nov 14, 2019

@robertswiecki confirmed that the first image you posted (https://user-images.githubusercontent.com/12155236/68846842-f95e7180-06cd-11ea-9207-80b34a91f939.jpg) exhibits a duplicate of #387, which has already been fixed.

@robertswiecki

This comment has been minimized.

Copy link

@robertswiecki robertswiecki commented Nov 15, 2019

Hi @dcommander , am I doing something wrong here? Btw, the double_free.jpg pic from #378 doesn't crash it. I'll file another bug, and you can close it quickly if I'm doing something incorrectly.

$ ( cd libjpeg-turbo/; git reflog )
bd20344 (grafted, HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/libjpeg-turbo/libjpeg-turbo.git

$ ( cd libjpeg-turbo/; git diff origin )

$ ./libjpeg-turbo/out/tjbench-static 68846842-f95e7180-06cd-11ea-9207-80b34a91f939.jpg -yuv

Testing YUV planar encoding/decoding

>>>>>  JPEG 4:4:4 --> BGR (Top-down)  <<<<<

Image size: 1002 x 891
=================================================================
==136873==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006080 at pc 0x0000004425fe bp 0x7ffd59651cb0 sp 0x7ffd59651460
READ of size 1002 at 0x62b000006080 thread T0
    #0 0x4425fd in __interceptor_memcpy.part.40 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4425fd)
    #1 0x535324 in tjDecompressToYUVPlanes (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x535324)
    #2 0x536609 in tjDecompressToYUV2 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x536609)
    #3 0x51f9e3 in decomp (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51f9e3)
    #4 0x51be2a in decompTest (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51be2a)
    #5 0x518ad3 in main (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x518ad3)
    #6 0x7f04c5c6252a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
    #7 0x424689 in _start (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x424689)

0x62b000006080 is located 0 bytes to the right of 24192-byte region [0x62b000000200,0x62b000006080)
allocated by thread T0 here:
    #0 0x4e0bc0 in malloc (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4e0bc0)
    #1 0x5344d5 in tjDecompressToYUVPlanes (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x5344d5)
    #2 0x536609 in tjDecompressToYUV2 (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x536609)
    #3 0x51f9e3 in decomp (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51f9e3)
    #4 0x51be2a in decompTest (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x51be2a)
    #5 0x518ad3 in main (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x518ad3)
    #6 0x7f04c5c6252a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/swiecki/fuzz/jpeg/libjpeg-turbo/out/tjbench-static+0x4425fd) in __interceptor_memcpy.part.40
Shadow bytes around the buggy address:
  0x0c567fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
bmwiedemann added a commit to bmwiedemann/openSUSE that referenced this issue Nov 15, 2019
https://build.opensuse.org/request/show/748021
by user dimstar_suse
- fix upstream bug 388 [bsc#1156402]
- added patches
  libjpeg-turbo/libjpeg-turbo#388
  + libjpeg-turbo-issue-388.patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.