I use valgrind to analysis the bug and get the below information (absolute path information omitted):
==12529== Memcheck, a memory error detector
==12529== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12529== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==12529== Command: ffjpeg -e segv_ffjpeg_e2
==12529==
==12529== Argument 'size' of function malloc has a fishy (possibly negative) value: -2097127520
==12529== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12529== by 0x4015EB: bmp_load (bmp.c:52)
==12529== by 0x400F2B: main (ffjpeg.c:29)
==12529==
==12529== Invalid read of size 1
==12529== at 0x40C930: jfif_encode (jfif.c:748)
==12529== by 0x400F33: main (ffjpeg.c:30)
==12529== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==12529==
==12529==
==12529== Process terminating with default action of signal 11 (SIGSEGV)
==12529== Access not within mapped region at address 0x0
==12529== at 0x40C930: jfif_encode (jfif.c:748)
==12529== by 0x400F33: main (ffjpeg.c:30)
==12529== If you believe this happened as a result of a stack
==12529== overflow in your program's main thread (unlikely but
==12529== possible), you can try to increase the size of the
==12529== main thread stack using the --main-stacksize= flag.
==12529== The main thread stack size used in this run was 8388608.
==12529==
==12529== HEAP SUMMARY:
==12529== in use at exit: 33,643,096 bytes in 12 blocks
==12529== total heap usage: 14 allocs, 2 frees, 33,647,744 bytes allocated
==12529==
==12529== LEAK SUMMARY:
==12529== definitely lost: 0 bytes in 0 blocks
==12529== indirectly lost: 0 bytes in 0 blocks
==12529== possibly lost: 0 bytes in 0 blocks
==12529== still reachable: 33,643,096 bytes in 12 blocks
==12529== suppressed: 0 bytes in 0 blocks
==12529== Rerun with --leak-check=full to see details of leaked memory
==12529==
==12529== For counts of detected and suppressed errors, rerun with: -v
==12529== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault
Tested in Ubuntu 16.04, 64bit.
The testcase is segv_ffjpeg_e2.
I use the following command:
and get:
I use valgrind to analysis the bug and get the below information (absolute path information omitted):
The gdb reports:
An attacker can exploit this vulnerability by submitting a malicious bmp that exploits this bug which will result in a Denial of Service (DoS).
The text was updated successfully, but these errors were encountered: