Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-overflow in HierarchicalBitmapRequester::FetchRegion #71

Closed
sleicasper opened this issue May 24, 2022 · 6 comments
Closed

heap-overflow in HierarchicalBitmapRequester::FetchRegion #71

sleicasper opened this issue May 24, 2022 · 6 comments

Comments

@sleicasper
Copy link

There is a heap-overflow in HierarchicalBitmapRequester::FetchRegion in hierarchicalbitmaprequester.cpp.

reproduce steps:

  1. unzip poc.zip
  2. compile libjpeg with address sanitizer enabled
  3. run jpeg ./poc /dev/null

poc
poc.zip

stack trace

==2002399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000008910 at pc 0x7ffb1603d490 bp 0x7ffe4780ec40 sp 0x7ffe4780e3e8
READ of size 32 at 0x62d000008910 thread T0
    #0 0x7ffb1603d48f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x5605adc723a9 in HierarchicalBitmapRequester::FetchRegion(int, Line const* const*, int*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:378
    #2 0x5605adc7633a in HierarchicalBitmapRequester::ReconstructRegion(RectAngle<int> const&, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:732
    #3 0x5605ad9819b5 in Image::ReconstructRegion(BitMapHook*, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/codestream/image.cpp:1111
    #4 0x5605ad96a1e1 in JPEG::InternalDisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:721
    #5 0x5605ad969ed1 in JPEG::DisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:699
    #6 0x5605ad94d2d0 in Reconstruct(char const*, char const*, int, char const*, bool) /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/reconstruct.cpp:320
    #7 0x5605ad939ea9 in main /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/main.cpp:747
    #8 0x7ffb15a880b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #9 0x5605ad9369ad in _start (/home/casper/targets/struct/libjpeg_th/asan/fuzzrun/jpeg+0x459ad)

0x62d000008910 is located 0 bytes to the right of 34064-byte region [0x62d000000400,0x62d000008910)
allocated by thread T0 here:
    #0 0x7ffb160af808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5605ad95ff5c in Environ::CoreAllocMem(unsigned int, unsigned int) (/home/casper/targets/struct/libjpeg_th/asan/fuzzrun/jpeg+0x6ef5c)
    #2 0x5605ad95eac4 in Environ::AllocMem(unsigned long) /home/casper/targets/struct/libjpeg_th/asan/BUILD/tools/environment.cpp:815
    #3 0x5605adc67941 in LineLineAdapter::AllocateLine(unsigned char) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/linelineadapter.cpp:160
    #4 0x5605adc674c5 in LineLineAdapter::GetNextLine(unsigned char) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/linelineadapter.cpp:130
    #5 0x5605adc72cb0 in HierarchicalBitmapRequester::Pull8Lines(unsigned char) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:437
    #6 0x5605adc761fd in HierarchicalBitmapRequester::ReconstructRegion(RectAngle<int> const&, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:729
    #7 0x5605ad9819b5 in Image::ReconstructRegion(BitMapHook*, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/codestream/image.cpp:1111
    #8 0x5605ad96a1e1 in JPEG::InternalDisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:721
    #9 0x5605ad969ed1 in JPEG::DisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:699
    #10 0x5605ad94d2d0 in Reconstruct(char const*, char const*, int, char const*, bool) /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/reconstruct.cpp:320
    #11 0x5605ad939ea9 in main /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/main.cpp:747
    #12 0x7ffb15a880b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c5a7fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff90e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff90f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff9110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fff9120: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2002399==ABORTING
@thorfdbg
Copy link
Owner

This has been fixed, thank you. It is caused by inconsistent MCU sizes.

@sleicasper
Copy link
Author

I can still reproduce this on latest commit

@thorfdbg
Copy link
Owner

I can't:

jpeg Copyright (C) 2012-2018 Thomas Richter, University of Stuttgart
and Accusoft

For license conditions, see README.license for details.

*** Warning -1038 in Tables::ParseTables, line 1386, file tables.cpp
*** Reason is: found invalid marker, probably a marker size is out of range

*** Warning -1038 in Tables::ParseTables, line 1386, file tables.cpp
*** Reason is: found invalid marker, probably a marker size is out of range

reading a JPEG file failed - error -1038 - component subsampling is inconsistent across hierarchical levels

0 bytes memory not yet released.

6917 bytes maximal required.

33 allocations performed.

This is from a fresh local repo.

@sleicasper
Copy link
Author

Have you built libjpeg with address sanitizer?
The heap-overflow is detectable by address sanitizer.

I build it this way:

./configure CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address"
make

@sleicasper
Copy link
Author

I guess this issue is fixed by this commit 187035b

@thorfdbg
Copy link
Owner

thorfdbg commented May 26, 2022 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants