A global-buffer-overflow was discovered in ffjpeg. The issue is being triggered in function jfif_encode at jfif.c:701
Reproduce
Tested in Ubuntu 18.04, 64bit. Compile ffjpeg with address sanitizer as I changed CCFLAGS src/Makefile as:
# ASan
CCFLAGS = -Wall -g -fsanitize=address -fno-omit-frame-pointer -O1
And do this command to reproduce this issue: ffjpeg -e $poc poc is here
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious jpeg that exploits this issue. This will result in a Denial of Service (DoS) and when the application attempts to process the file.
ASAN Reports
==81140==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56063a6c1b92 at pc 0x7f2c96918733 bp 0x7ffe503e7fe0 sp 0x7ffe503e7788
READ of size 272 at 0x56063a6c1b92 thread T0
#0 0x7f2c96918732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)#1 0x56063a6a88e7 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34#2 0x56063a6a88e7 in jfif_encode /root/study/ffjpeg/src/jfif.c:701#3 0x56063a69b382 in main /root/study/ffjpeg/src/ffjpeg.c:30#4 0x7f2c964cfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)#5 0x56063a69b829 in _start (/root/study/ffjpeg/test/ffjpeg+0x2829)
0x56063a6c1b92 is located 0 bytes to the right of global variable 'STD_HUFTAB_LUMIN_AC' defined in'huffman.c:388:12' (0x56063a6c1ae0) of size 178
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0ac1474d0320: 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
0x0ac1474d0330: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ac1474d0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9
0x0ac1474d0350: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
0x0ac1474d0360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac1474d0370: 00 00[02]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ac1474d0380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1474d0390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1474d03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1474d03b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac1474d03c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==81140==ABORTING
The text was updated successfully, but these errors were encountered:
Describe
A global-buffer-overflow was discovered in ffjpeg. The issue is being triggered in function jfif_encode at jfif.c:701
Reproduce
Tested in Ubuntu 18.04, 64bit. Compile ffjpeg with address sanitizer as I changed
CCFLAGSsrc/Makefile as:# ASan CCFLAGS = -Wall -g -fsanitize=address -fno-omit-frame-pointer -O1And do this command to reproduce this issue:
ffjpeg -e $pocpoc is here
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious jpeg that exploits this issue. This will result in a Denial of Service (DoS) and when the application attempts to process the file.
ASAN Reports
==81140==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56063a6c1b92 at pc 0x7f2c96918733 bp 0x7ffe503e7fe0 sp 0x7ffe503e7788 READ of size 272 at 0x56063a6c1b92 thread T0 #0 0x7f2c96918732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) #1 0x56063a6a88e7 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x56063a6a88e7 in jfif_encode /root/study/ffjpeg/src/jfif.c:701 #3 0x56063a69b382 in main /root/study/ffjpeg/src/ffjpeg.c:30 #4 0x7f2c964cfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #5 0x56063a69b829 in _start (/root/study/ffjpeg/test/ffjpeg+0x2829) 0x56063a6c1b92 is located 0 bytes to the right of global variable 'STD_HUFTAB_LUMIN_AC' defined in 'huffman.c:388:12' (0x56063a6c1ae0) of size 178 SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) Shadow bytes around the buggy address: 0x0ac1474d0320: 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 0x0ac1474d0330: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ac1474d0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 0x0ac1474d0350: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00 0x0ac1474d0360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ac1474d0370: 00 00[02]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ac1474d0380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac1474d0390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac1474d03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac1474d03b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac1474d03c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==81140==ABORTINGThe text was updated successfully, but these errors were encountered: