Bug#953352: Heap-buffer-overflow in jhead-3.04

Sun, 08 Mar 2020 04:04:12 -0700 

Package: jhead
Version: 3.04

A heap-buffer-overflow issue was discovered in jhead-3.04:gpsinfo.c:161.

Please run following command to reproduce it,
./jhead poc

Here is the detail log:
$ ./jhead poc

Nonfatal Error : 'poc' Extraneous 10 padding bytes before section E1

Nonfatal Error : 'poc' Illegal value pointer for tag 0100 in Exif

Nonfatal Error : 'poc' Illegal value pointer for tag fe0f in Exif

Nonfatal Error : 'poc' Illegal value pointer for tag 0110 in Exif
=================================================================
==29343==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5e03e98 at pc 0x08059e85 bp 0xbffbf488 sp 0xbffbf478
READ of size 1 at 0xb5e03e98 thread T0
    #0 0x8059e84 in ProcessGpsInfo /home/test/afl/jhead-3.04/gpsinfo.c:161
    #1 0x8055a15 in ProcessExifDir /home/test/afl/jhead-3.04/exif.c:866
    #2 0x8056260 in process_EXIF /home/test/afl/jhead-3.04/exif.c:1041
    #3 0x804fdb8 in ReadJpegSections /home/test/afl/jhead-3.04/jpgfile.c:287
    #4 0x8050190 in ReadJpegFile /home/test/afl/jhead-3.04/jpgfile.c:379
    #5 0x804cad9 in ProcessFile /home/test/afl/jhead-3.04/jhead.c:905
    #6 0x8049cfa in main /home/test/afl/jhead-3.04/jhead.c:1756
    #7 0xb77b8636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
    #8 0x804b65b  (/home/test/BinFuzz/jhead+0x804b65b)

AddressSanitizer can not describe address in more detail (wild memory
access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/test/afl/jhead-3.04/gpsinfo.c:161 ProcessGpsInfo
Shadow bytes around the buggy address:
  0x36bc0780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36bc07d0: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc07f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29343==ABORTING

This issue was raised by binary-security-lab of Sichuan University, for
fuzzing research work.

Attachment: poc
Description: Binary data

Reply via email to