Public bug reported:
Heap-buffer-overflow while running jhead(v2.97, v3.00). This bug has
been provided patch in >= v3.0.2. But it still exits in v2.97 and v3.00.
Deatil log as follow: (POC in attachment)
lbb@lbb ./jhead-2.97/jhead ./jhead-2.97/crashes/I5G9X5~S
Nonfatal Error : './jhead-2.97/crashes/I5G9X5~S' Extraneous 11 padding bytes
before section DC
=================================================================
==3525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000094
at pc 0x00000040bf7f bp 0x7ffd7f6c0b80 sp 0x7ffd7f6c0b78
READ of size 1 at 0x602000000094 thread T0
#0 0x40bf7e in process_DHT /home/jhead-2.97/jpgqguess.c:188
#1 0x408a62 in ReadJpegSections /home/jhead-2.97/jpgfile.c:228
#2 0x4092ad in ReadJpegSections /home/jhead-2.97/jpgfile.c:126
#3 0x4092ad in ReadJpegFile /home/jhead-2.97/jpgfile.c:375
#4 0x404cb7 in ProcessFile /home/jhead-2.97/jhead.c:881
#5 0x402a10 in main /home/jhead-2.97/jhead.c:1684
#6 0x7f836156283f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#7 0x403ca8 in _start (/home/jhead-2.97/jhead+0x403ca8)
0x602000000094 is located 0 bytes to the right of 4-byte region
[0x602000000090,0x602000000094)
allocated by thread T0 here:
#0 0x7f8361cee290 in __interceptor_malloc
../../.././libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x4083e5 in ReadJpegSections /home/jhead-2.97/jpgfile.c:173
#2 0x4092ad in ReadJpegSections /home/jhead-2.97/jpgfile.c:126
#3 0x4092ad in ReadJpegFile /home/jhead-2.97/jpgfile.c:375
#4 0x404cb7 in ProcessFile /home/jhead-2.97/jhead.c:881
#5 0x402a10 in main /home/jhead-2.97/jhead.c:1684
#6 0x7f836156283f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/jhead-2.97/jpgqguess.c:188 in process_DHT
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa fd fd fa fa 02 fa fa fa 02 fa fa fa 02 fa
=>0x0c047fff8010: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3525==ABORTING
** Affects: jhead (Ubuntu)
Importance: Undecided
Status: New
** Tags: heap-buffer-overflow jhead
** Attachment added: "This is a POC"
https://bugs.launchpad.net/bugs/1895806/+attachment/5411265/+files/I5G9X5~S
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1895806
Title:
heap-buffer-overflow on jhead(<=2.97, 3.00)/jpgqguess.c:188 in
process_DHT
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1895806/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
