Package: jhead Version: 1:3.04-3 Severity: normal X-Debbugs-Cc: borzacchie...@diag.uniroma1.it
Dear Maintainer, running jhead with the attached input leads to an use-after-free in show_IPTC function. This is the output of valgrind (valgrind jhead ./uaf_show_IPTC): ==7591== Invalid read of size 4 ==7591== at 0x112B48: show_IPTC (iptc.c:85) ==7591== by 0x10CACB: ProcessFile (jhead.c:955) ==7591== by 0x10B6FB: main (jhead.c:1756) ==7591== Address 0x4b584d3 is 13 bytes before a block of size 16 free'd ==7591== at 0x48399AB: free (vg_replace_malloc.c:538) ==7591== by 0x10E709: ReadJpegSections.part.0 (jpgfile.c:301) ==7591== by 0x10EB08: ReadJpegSections (jpgfile.c:126) ==7591== by 0x10EB08: ReadJpegFile (jpgfile.c:379) ==7591== by 0x10CA4B: ProcessFile (jhead.c:905) ==7591== by 0x10B6FB: main (jhead.c:1756) ==7591== Block was alloc'd at ==7591== at 0x483877F: malloc (vg_replace_malloc.c:307) ==7591== by 0x10E332: ReadJpegSections.part.0 (jpgfile.c:173) ==7591== by 0x10EB08: ReadJpegSections (jpgfile.c:126) ==7591== by 0x10EB08: ReadJpegFile (jpgfile.c:379) ==7591== by 0x10CA4B: ProcessFile (jhead.c:905) ==7591== by 0x10B6FB: main (jhead.c:1756) -- Regards, Luca Borzacchiello -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-42-generic (SMP w/12 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages jhead depends on: ii libc6 2.31-3 ii libjpeg-turbo-progs 1:2.0.5-1.1 jhead recommends no packages. Versions of packages jhead suggests: pn imagemagick <none> -- no debconf information