You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our fuzzer found heap buffer overflow in jpeg.c.in the current main(9ba1504).
Following is an output of valgrind.
vuln24.jpg is in vuln24.zip
==27100== Memcheck, a memory error detector
==27100== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.==27100== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info==27100== Command: ./build/bin/lws-api-test-jpeg --stdin ../crash/vuln24.jpg==27100==[2024/05/10 13:07:31:7922] U: LWS JPEG test tool[2024/05/10 13:07:31:8557] W: read_sof_marker: 529 x 566==27100== Invalid write of size 1==27100== at 0x11E044: lws_jpeg_mcu_next (jpeg.c:2454)==27100== by 0x11E78F: lws_jpeg_emit_next_line (jpeg.c:2670)==27100== by 0x1135E0: main (main.c:100)==27100== Address 0x4f82fc5 is 21 bytes after a block of size 25,392 alloc'd
==27100== at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==27100== by 0x168612: _realloc (alloc.c:151)
==27100== by 0x1686E3: lws_zalloc (alloc.c:212)
==27100== by 0x11E6EC: lws_jpeg_emit_next_line (jpeg.c:2646)
==27100== by 0x1135E0: main (main.c:100)
==27100==
==27100== Invalid write of size 1
==27100== at 0x11E05D: lws_jpeg_mcu_next (jpeg.c:2455)
==27100== by 0x11E78F: lws_jpeg_emit_next_line (jpeg.c:2670)
==27100== by 0x1135E0: main (main.c:100)
==27100== Address 0x4f82fc6 is 22 bytes after a block of size 25,392 alloc'd==27100== at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)==27100== by 0x168612: _realloc (alloc.c:151)==27100== by 0x1686E3: lws_zalloc (alloc.c:212)==27100== by 0x11E6EC: lws_jpeg_emit_next_line (jpeg.c:2646)==27100== by 0x1135E0: main (main.c:100)==27100====27100== Invalid write of size 1==27100== at 0x11E076: lws_jpeg_mcu_next (jpeg.c:2456)==27100== by 0x11E78F: lws_jpeg_emit_next_line (jpeg.c:2670)==27100== by 0x1135E0: main (main.c:100)==27100== Address 0x4f82fc7 is 23 bytes after a block of size 25,392 alloc'd
==27100== at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==27100== by 0x168612: _realloc (alloc.c:151)
==27100== by 0x1686E3: lws_zalloc (alloc.c:212)
==27100== by 0x11E6EC: lws_jpeg_emit_next_line (jpeg.c:2646)
==27100== by 0x1135E0: main (main.c:100)
==27100==
...
[omission]
...
[2024/05/10 13:07:31:9384] E: main: failed to read: 0
[2024/05/10 13:07:31:9405] U: Completed: PASS (read 3536)
==27100==
==27100== HEAP SUMMARY:
==27100== in use at exit: 0 bytes in 0 blocks
==27100== total heap usage: 7 allocs, 7 frees, 32,196 bytes allocated
==27100==
==27100== All heap blocks were freed -- no leaks are possible
==27100==
==27100== For lists of detected and suppressed errors, rerun with: -s
==27100== ERROR SUMMARY: 24 errors from 3 contexts (suppressed: 0 from 0)
Our fuzzer found heap buffer overflow in jpeg.c.in the current main(9ba1504).
Following is an output of valgrind.
vuln24.jpg is in vuln24.zip
It is caused by this line.
libwebsockets/lib/misc/jpeg.c
Lines 2643 to 2644 in 9ba1504
max
pDst
=j->lines + (j->mcu_max_row * j->mcu_max_size_x * j->frame_comps) + (j->mcu_max_size_y * row_pitch) + (j->mcu_max_size_x * j->frame_comps) + (by_limit * row_pitch) + (bx_limit * 3)
Hence, the following checks are not sufficient
libwebsockets/lib/misc/jpeg.c
Lines 2472 to 2473 in 9ba1504
Ricerca Security, Inc.
The text was updated successfully, but these errors were encountered: