heap-overflow in HierarchicalBitmapRequester::FetchRegion

[sleicasper]

There is a heap-overflow in HierarchicalBitmapRequester::FetchRegion in hierarchicalbitmaprequester.cpp.

reproduce steps:

1. unzip poc.zip
2. compile libjpeg with address sanitizer enabled
3. run jpeg ./poc /dev/null

poc
poc.zip

stack trace

==2002399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000008910 at pc 0x7ffb1603d490 bp 0x7ffe4780ec40 sp 0x7ffe4780e3e8
READ of size 32 at 0x62d000008910 thread T0
    #0 0x7ffb1603d48f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x5605adc723a9 in HierarchicalBitmapRequester::FetchRegion(int, Line const* const*, int*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:378
    #2 0x5605adc7633a in HierarchicalBitmapRequester::ReconstructRegion(RectAngle<int> const&, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:732
    #3 0x5605ad9819b5 in Image::ReconstructRegion(BitMapHook*, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/codestream/image.cpp:1111
    #4 0x5605ad96a1e1 in JPEG::InternalDisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:721
    #5 0x5605ad969ed1 in JPEG::DisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:699
    #6 0x5605ad94d2d0 in Reconstruct(char const*, char const*, int, char const*, bool) /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/reconstruct.cpp:320
    #7 0x5605ad939ea9 in main /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/main.cpp:747
    #8 0x7ffb15a880b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #9 0x5605ad9369ad in _start (/home/casper/targets/struct/libjpeg_th/asan/fuzzrun/jpeg+0x459ad)

0x62d000008910 is located 0 bytes to the right of 34064-byte region [0x62d000000400,0x62d000008910)
allocated by thread T0 here:
    #0 0x7ffb160af808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5605ad95ff5c in Environ::CoreAllocMem(unsigned int, unsigned int) (/home/casper/targets/struct/libjpeg_th/asan/fuzzrun/jpeg+0x6ef5c)
    #2 0x5605ad95eac4 in Environ::AllocMem(unsigned long) /home/casper/targets/struct/libjpeg_th/asan/BUILD/tools/environment.cpp:815
    #3 0x5605adc67941 in LineLineAdapter::AllocateLine(unsigned char) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/linelineadapter.cpp:160
    #4 0x5605adc674c5 in LineLineAdapter::GetNextLine(unsigned char) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/linelineadapter.cpp:130
    #5 0x5605adc72cb0 in HierarchicalBitmapRequester::Pull8Lines(unsigned char) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:437
    #6 0x5605adc761fd in HierarchicalBitmapRequester::ReconstructRegion(RectAngle<int> const&, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/control/hierarchicalbitmaprequester.cpp:729
    #7 0x5605ad9819b5 in Image::ReconstructRegion(BitMapHook*, RectangleRequest const*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/codestream/image.cpp:1111
    #8 0x5605ad96a1e1 in JPEG::InternalDisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:721
    #9 0x5605ad969ed1 in JPEG::DisplayRectangle(JPG_TagItem*) /home/casper/targets/struct/libjpeg_th/asan/BUILD/interface/jpeg.cpp:699
    #10 0x5605ad94d2d0 in Reconstruct(char const*, char const*, int, char const*, bool) /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/reconstruct.cpp:320
    #11 0x5605ad939ea9 in main /home/casper/targets/struct/libjpeg_th/asan/BUILD/cmd/main.cpp:747
    #12 0x7ffb15a880b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c5a7fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff90e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff90f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fff9110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fff9120: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fff9170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2002399==ABORTING

[thorfdbg]

This has been fixed, thank you. It is caused by inconsistent MCU sizes.

[sleicasper]

I can still reproduce this on latest commit

[thorfdbg]

I can't:

jpeg Copyright (C) 2012-2018 Thomas Richter, University of Stuttgart
and Accusoft

For license conditions, see README.license for details.

*** Warning -1038 in Tables::ParseTables, line 1386, file tables.cpp
*** Reason is: found invalid marker, probably a marker size is out of range

*** Warning -1038 in Tables::ParseTables, line 1386, file tables.cpp
*** Reason is: found invalid marker, probably a marker size is out of range

reading a JPEG file failed - error -1038 - component subsampling is inconsistent across hierarchical levels

0 bytes memory not yet released.

6917 bytes maximal required.

33 allocations performed.

This is from a fresh local repo.

[sleicasper]

Have you built libjpeg with address sanitizer?
The heap-overflow is detectable by address sanitizer.

I build it this way:

./configure CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address"
make

[sleicasper]

I guess this issue is fixed by this commit 187035b

[thorfdbg]

Am 26.05.22 um 11:52 schrieb sleicasper:

I guess this issue is fixed by this commit 187035b <187035b>

Correct, that's the fix. The issue is that the affected codestream communicates two incompatible MCU sizes, and the upsampler allocates using one size, though uses then a different size. This cannot work. Unfortunately, the description of the hierarchical process in the specs is so sketchy, it's hard to make a robust implementation from it. Nobody had much interest in this process back then.