-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integer overflow in bmp_load() resulting in heap overflow in jfif_encode() at jfif.c:763 #49
Comments
I cannot reproduce the crash with the provided poc file.
I tested with gdb and find that the poc did not pass the check in jfif.c:752 and with poc the program does not execute the jfif.c:763.
Tested in Ubuntu 20.04, 64bit; Clang 12.0.0. |
Did you copy-paste the file from browser? The poc contains special characters in the end.
ps: I tried to copy the PoC from browser and encountered the same output as you :) My test environment is
|
The poc file is downloaded from the browser, but the
And I use the
I am doing research about vulnerability reproduction and analysis. Could you please provide more information, such as how you compile the target program? Thanks for any reply! |
The complete compilation process is as follows. Feel free to ask if you encountered any problems.
|
I can't reproduce it either. |
this problem can lead to crash in 32 bit program, try compiling with -m32 option to reproduce it. |
OK, I get it. This is caused by the different size of Lines 747 to 754 in caade60
|
version: master (commit caade60)$poc$
poc: poc
command: ./ffjpeg -e
Here is the trace reported by ASAN:
This issue is the same as #38, but the fix to it (0fa4cf8) is not complete. An integer overflow is still possible in line 43. In the example below, when
width=1431655779
,pb->stride=44
which bypasses the check in line 44. This will lead to a heap buffer flow injfif.c
as in the ASAN report above.ffjpeg/src/bmp.c
Lines 41 to 47 in caade60
The text was updated successfully, but these errors were encountered: