Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow n function optimize at jpegoptim.c:691:12 #132

Closed
blu3sh0rk opened this issue Mar 2, 2023 · 1 comment
Closed

Heap-buffer-overflow n function optimize at jpegoptim.c:691:12 #132

blu3sh0rk opened this issue Mar 2, 2023 · 1 comment

Comments

@blu3sh0rk
Copy link

blu3sh0rk commented Mar 2, 2023

Desctiption

A heap-buffer-overflow has occurred when running program jpegoptim in function optimize at jpegoptim.c:691:12

Version

$ git log
commit f20f0e8775335d9f44efc65285a6ca85451e2036 (HEAD -> master, tag: v1.5.2, origin/master, origin/HEAD)
Author: Timo Kokkonen <tjko@iki.fi>
Date:   Fri Feb 10 18:00:41 2023 -0800

    Bump version to v1.5.2

Steps to reproduce

$ git clone https://github.com/tjko/jpegoptim.git jpegoptim-g
$ cd jpegoptim-g
$ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build
$ build/bin/jpegoptim --stdout stdout-heapoverflow

=================================================================
==3544758==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010800 at pc 0x0000002708ae bp 0x7ffed5edb070 sp 0x7ffed5eda838
READ of size 88156 at 0x631000010800 thread T0
    #0 0x2708ad in fwrite (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2708ad)
    #1 0x30dbc3 in optimize /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1093:8
    #2 0x3120e7 in main /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1369:10
    #3 0x7f588cf2d082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x2584bd in _start (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2584bd)

0x631000010800 is located 0 bytes to the right of 65536-byte region [0x631000000800,0x631000010800)
allocated by thread T0 here:
    #0 0x2d371d in malloc (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2d371d)
    #1 0x30ad0f in optimize /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:691:12
    #2 0x3120e7 in main /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1369:10
    #3 0x7f588cf2d082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2708ad) in fwrite
Shadow bytes around the buggy address:
  0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3544758==ABORTING

POC

https://github.com/blu3sh0rk/Fuzzing-crash/blob/main/jpegoptim/stdout-heapoverflow

Code in function optimize at jpegoptim.c:691:12

/* Prepare to decompress */
	if (stdin_mode || stdout_mode) {
		if (inbuffer)
			free(inbuffer);
		inbuffersize=65536;
		inbuffer=malloc(inbuffersize);     <---- line 691
		if (!inbuffer)
			fatal("not enough memory");
	}
	global_error_counter=0;
	jpeg_save_markers(&dinfo, JPEG_COM, 0xffff);
	for (j=0;j<=15;j++) {
		jpeg_save_markers(&dinfo, JPEG_APP0+j, 0xffff);
	}

Environment

Ubuntu 20.04.3 LTS \n \l

IMPACT

Potentially causing DoS and RCE

@tjko
Copy link
Owner

tjko commented Mar 2, 2023

Thanks for pointing this out! Looks like it can read past the end of buffer if parsing corrupt JPEG image.

Fix is now checked in: 29a073a

@tjko tjko closed this as completed Mar 2, 2023
mweinelt pushed a commit to NixOS/nixpkgs that referenced this issue Mar 18, 2023
github-actions bot pushed a commit to NixOS/nixpkgs that referenced this issue Mar 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants