Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double-free vulnerability in jpegoptim #57

Closed
glen-mac opened this issue Apr 17, 2018 · 2 comments
Closed

Double-free vulnerability in jpegoptim #57

glen-mac opened this issue Apr 17, 2018 · 2 comments

Comments

@glen-mac
Copy link

I have come across a double free in jpegoptim. Please see the ASAN report below.

The crash file test case can be found here.

This was found in commit d23abf2.

The command to compile the binary is as follows:
CC=clang CXX=clang++ CFLAGS='-fsanitize=address,undefined -g -O2' CXXFLAGS=$CFLAGS make

This double-free could be used to assist in exploiting the software via heap manipulation resulting in code execution.

=================================================================
==24775==ERROR: AddressSanitizer: attempting double-free on 0x62d00000a400 in thread T0:
    #0 0x4c4780  (/root/jpegoptim/jpegoptim_afl+0x4c4780)
    #1 0x4f9c60  (/root/jpegoptim/jpegoptim_afl+0x4f9c60)
    #2 0x7f9a700c1f44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #3 0x41a765  (/root/jpegoptim/jpegoptim_afl+0x41a765)

0x62d00000a400 is located 0 bytes inside of 39485-byte region [0x62d00000a400,0x62d000013e3d)
freed by thread T0 here:
    #0 0x4c4e6d  (/root/jpegoptim/jpegoptim_afl+0x4c4e6d)
    #1 0x4faf9b  (/root/jpegoptim/jpegoptim_afl+0x4faf9b)

previously allocated by thread T0 here:
    #0 0x4c4ac8  (/root/jpegoptim/jpegoptim_afl+0x4c4ac8)
    #1 0x4f7078  (/root/jpegoptim/jpegoptim_afl+0x4f7078)
    #2 0x7f9a700c1f44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: double-free (/root/jpegoptim/jpegoptim_afl+0x4c4780)
==24775==ABORTING
@glen-mac glen-mac changed the title Double-free in jpegoptim Double-free vulnerability in jpegoptim Apr 17, 2018
@tjko
Copy link
Owner

tjko commented Apr 17, 2018

Thanks, looks like recent merge 139a558 introduced this.
Fix has been checked-in.

@tjko
Copy link
Owner

tjko commented Apr 18, 2018

Issue wasn't technically "double-free" but realloc() and free() using now stale pointer...

Fix was to update the pointer to the buffer after realloc(): 5b38e8e

@tjko tjko closed this as completed Apr 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants