Bug#784919: libdjvulibre21: integer overflow in DJVU::IW44Image::Map::Map()

Sun, 10 May 2015 10:06:27 -0700 

Package: libdjvulibre21
Version: 3.5.27.1-1
Usertags: afl

DjVuLibre crashes on the attached crafted file:

$ djvudump intoverflow.djvu
FORM:DJVU [22] BG44 [9] IW4 data #1, 1 slices, v1.2 (color), 65280x65280 

$ ddjvu intoverflow.djvu
terminate called after throwing an instance of 'DJVU::GException'
Aborted


Backtrace:

#0  0xf7fdc425 in __kernel_vsyscall ()
#1  0xf7a98307 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xf7a999c3 in __GI_abort () at abort.c:89
#3  0xf7ccaa25 in __gnu_cxx::__verbose_terminate_handler() () from 
/usr/lib/i386-linux-gnu/libstdc++.so.6
#4  0xf7cc8733 in ?? () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#5  0xf7cc87ad in std::terminate() () from 
/usr/lib/i386-linux-gnu/libstdc++.so.6
#6  0xf7cc87c3 in ?? () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#7  0xf7cc82b0 in __cxa_call_unexpected () from 
/usr/lib/i386-linux-gnu/libstdc++.so.6
#8  0xf7cc9129 in operator new[](unsigned int) () from 
/usr/lib/i386-linux-gnu/libstdc++.so.6
#9  0xf7f28668 in DJVU::IW44Image::Map::Map (this=0xf6d00798, w=65280, h=65280) 
at IW44Image.cpp:608
#10 0xf7f2ab43 in DJVU::IWPixmap::decode_chunk (this=0xf6d00a08, gbs=...) at 
IW44Image.cpp:1774
#11 0xf7eab198 in DJVU::DjVuFile::decode_chunk (this=0x80c5848, id=..., 
gbs=..., djvi=false, djvu=true, iw44=false) at DjVuFile.cpp:960
#12 0xf7ead30e in DJVU::DjVuFile::decode (this=0x80c5848, gbs=...) at 
DjVuFile.cpp:1255
#13 0xf7eadb10 in DJVU::DjVuFile::decode_func (this=0x80c5848) at 
DjVuFile.cpp:484
#14 0xf7eae27a in DJVU::DjVuFile::static_decode_func (cl_data=0x80c5848) at 
DjVuFile.cpp:464
#15 0xf7f10b6e in DJVU::GThread::start (arg=0x80be9c0) at GThreads.cpp:392
#16 0xf7d7defb in start_thread (arg=0xf6cffb40) at pthread_create.c:309
#17 0xf7b5362e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129


I believe this is due to integer overflow in this code:

IW44Image::Map::Map(int w, int h)
 :  blocks(0), iw(w), ih(h), chain(0)
{
 bw = (w+0x20-1) & ~0x1f;
 bh = (h+0x20-1) & ~0x1f;
 nb = (bw * bh) / (32 * 32);
 blocks = new IW44Image::Block[nb];
 top = IWALLOCSIZE;
}

In this case w=h=65280, so nb overflows to -32704.

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libdjvulibre21 depends on:
ii  libc6              2.19-18
ii  libdjvulibre-text  3.5.27.1-1
ii  libgcc1            1:5.1.1-5
ii  libjpeg62-turbo    1:1.3.1-12
ii  libstdc++6         5.1.1-5

--
Jakub Wilk

Reply via email to