Public bug reported:
Heap-buffer-overflow while running jhead(v3.03, v3.04). I can not
confirm if this bug is needed to patch. Deatil log as follow: (POC in
attachment)
lbb@lbb ./jhead/jhead ./input/id_m075
Nonfatal Error : './input/id_m075' Suspicious offset of first Exif IFD value
Nonfatal Error : './input/id_m075' Illegally sized Exif subdirectory (60138
entries)
Nonfatal Error : './input/id_m075' Extraneous 11 padding bytes before section 03
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section DB
Nonfatal Error : './input/id_m075' Extraneous 12 padding bytes before section 03
Nonfatal Error : './input/id_m075' Extraneous 164 padding bytes before section
C4
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section EA
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section 03
Nonfatal Error : './input/id_m075' Extraneous 11 padding bytes before section 03
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section DB
=================================================================
==19742==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60700000ddc3 at pc 0x0000004e5c14 bp 0x7fff938f6490 sp 0x7fff938f6488
READ of size 1 at 0x60700000ddc3 thread T0
#0 0x4e5c13 in process_DQT
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgqguess.c:109:38
#1 0x4e2d9c in ReadJpegSections
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:223:17
#2 0x4e39c7 in ReadJpegFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379:11
#3 0x4dea31 in ProcessFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:905:10
#4 0x4dea31 in main
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:1756
#5 0x7f3ea4c5f82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x435e48 in _start
(/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x435e48)
0x60700000ddc3 is located 0 bytes to the right of 67-byte region
[0x60700000dd80,0x60700000ddc3)
allocated by thread T0 here:
#0 0x4bcdf2 in __interceptor_malloc
(/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x4bcdf2)
#1 0x4e291c in ReadJpegSections
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:173:25
#2 0x4e39c7 in ReadJpegFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379:11
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgqguess.c:109 process_DQT
Shadow bytes around the buggy address:
0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00[03]fa fa fa fa fa 00 00
0x0c0e7fff9bc0: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
0x0c0e7fff9bd0: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff9be0: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff9bf0: 03 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19742==ABORTING
** Affects: jhead (Ubuntu)
Importance: Undecided
Status: New
** Tags: jhead stack-buffer-overflow
** Attachment added: "POC"
https://bugs.launchpad.net/bugs/1858744/+attachment/5318434/+files/id_m075
** Description changed:
Heap-buffer-overflow while running jhead(v3.03, v3.04). I can not
confirm if this bug is needed to patch. Deatil log as follow: (POC in
attachment)
- lbb@lbb .jhead/jhead ./input/id_m075
+ lbb@lbb ./jhead/jhead ./input/id_m075
Nonfatal Error : './input/id_m075' Suspicious offset of first Exif IFD value
Nonfatal Error : './input/id_m075' Illegally sized Exif subdirectory (60138
entries)
Nonfatal Error : './input/id_m075' Extraneous 11 padding bytes before section
03
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section
DB
Nonfatal Error : './input/id_m075' Extraneous 12 padding bytes before section
03
Nonfatal Error : './input/id_m075' Extraneous 164 padding bytes before
section C4
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section
EA
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section
03
Nonfatal Error : './input/id_m075' Extraneous 11 padding bytes before section
03
Nonfatal Error : './input/id_m075' Extraneous 10 padding bytes before section
DB
=================================================================
==19742==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60700000ddc3 at pc 0x0000004e5c14 bp 0x7fff938f6490 sp 0x7fff938f6488
READ of size 1 at 0x60700000ddc3 thread T0
- #0 0x4e5c13 in process_DQT
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgqguess.c:109:38
- #1 0x4e2d9c in ReadJpegSections
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:223:17
- #2 0x4e39c7 in ReadJpegFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379:11
- #3 0x4dea31 in ProcessFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:905:10
- #4 0x4dea31 in main
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:1756
- #5 0x7f3ea4c5f82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
- #6 0x435e48 in _start
(/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x435e48)
+ #0 0x4e5c13 in process_DQT
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgqguess.c:109:38
+ #1 0x4e2d9c in ReadJpegSections
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:223:17
+ #2 0x4e39c7 in ReadJpegFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379:11
+ #3 0x4dea31 in ProcessFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:905:10
+ #4 0x4dea31 in main
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:1756
+ #5 0x7f3ea4c5f82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
+ #6 0x435e48 in _start
(/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x435e48)
0x60700000ddc3 is located 0 bytes to the right of 67-byte region
[0x60700000dd80,0x60700000ddc3)
allocated by thread T0 here:
- #0 0x4bcdf2 in __interceptor_malloc
(/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x4bcdf2)
- #1 0x4e291c in ReadJpegSections
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:173:25
- #2 0x4e39c7 in ReadJpegFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379:11
+ #0 0x4bcdf2 in __interceptor_malloc
(/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x4bcdf2)
+ #1 0x4e291c in ReadJpegSections
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:173:25
+ #2 0x4e39c7 in ReadJpegFile
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379:11
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgqguess.c:109 process_DQT
Shadow bytes around the buggy address:
- 0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c0e7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c0e7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c0e7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c0e7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00[03]fa fa fa fa fa 00 00
- 0x0c0e7fff9bc0: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
- 0x0c0e7fff9bd0: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
- 0x0c0e7fff9be0: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
- 0x0c0e7fff9bf0: 03 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
- 0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c0e7fff9bc0: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
+ 0x0c0e7fff9bd0: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
+ 0x0c0e7fff9be0: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
+ 0x0c0e7fff9bf0: 03 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
+ 0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Heap right redzone: fb
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack partial redzone: f4
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- Container overflow: fc
- Array cookie: ac
- Intra object redzone: bb
- ASan internal: fe
- Left alloca redzone: ca
- Right alloca redzone: cb
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
==19742==ABORTING
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1858744
Title:
heap-buffer-overflow on jhead(v3.03, v3.04)/jpgqguess.c:109
process_DQT
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
