A heap-buffer-overflow has occurred when running program jpegoptim in function optimize at jpegoptim.c:691:12
Version
$ git log
commit f20f0e8775335d9f44efc65285a6ca85451e2036 (HEAD -> master, tag: v1.5.2, origin/master, origin/HEAD)
Author: Timo Kokkonen <tjko@iki.fi>
Date: Fri Feb 10 18:00:41 2023 -0800
Bump version to v1.5.2
Steps to reproduce
$ git clone https://github.com/tjko/jpegoptim.git jpegoptim-g
$ cd jpegoptim-g
$ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build
$ build/bin/jpegoptim --stdout stdout-heapoverflow
=================================================================
==3544758==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010800 at pc 0x0000002708ae bp 0x7ffed5edb070 sp 0x7ffed5eda838
READ of size 88156 at 0x631000010800 thread T0
#0 0x2708ad in fwrite (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2708ad)
#1 0x30dbc3 in optimize /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1093:8
#2 0x3120e7 in main /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1369:10
#3 0x7f588cf2d082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x2584bd in _start (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2584bd)
0x631000010800 is located 0 bytes to the right of 65536-byte region [0x631000000800,0x631000010800)
allocated by thread T0 here:
#0 0x2d371d in malloc (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2d371d)
#1 0x30ad0f in optimize /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:691:12
#2 0x3120e7 in main /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1369:10
#3 0x7f588cf2d082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2708ad) in fwrite
Shadow bytes around the buggy address:
0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3544758==ABORTING
Desctiption
A heap-buffer-overflow has occurred when running program jpegoptim in function optimize at jpegoptim.c:691:12
Version
Steps to reproduce
POC
https://github.com/blu3sh0rk/Fuzzing-crash/blob/main/jpegoptim/stdout-heapoverflow
Code in function optimize at jpegoptim.c:691:12
Environment
IMPACT
Potentially causing DoS and RCE
The text was updated successfully, but these errors were encountered: