Public bug reported: # enviroment ubuntu 18.04 ./jhead poc
# version 3.04 # asan out ================================================================= ==33010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000004e5 at pc 0x5618aeedc758 bp 0x7ffe61a1d410 sp 0x7ffe61a1d400 READ of size 1 at 0x6190000004e5 thread T0 #0 0x5618aeedc757 in Get16u exif.c:325 #1 0x5618aeef223e in ProcessGpsInfo gpsinfo.c:62 #2 0x5618aeee54d5 in ProcessExifDir exif.c:866 #3 0x5618aeee5529 in ProcessExifDir exif.c:852 #4 0x5618aeee695a in process_EXIF exif.c:1041 #5 0x5618aeed2382 in ReadJpegSections jpgfile.c:287 #6 0x5618aeed390e in ReadJpegSections jpgfile.c:126 #7 0x5618aeed390e in ReadJpegFile jpgfile.c:379 #8 0x5618aeec966c in ProcessFile jhead.c:905 #9 0x5618aeec4b2e in main jhead.c:1756 #10 0x7f9cfffb1bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #11 0x5618aeec7279 in _start (/home/fuzz/jhead-3.04/jhead+0x12279) 0x6190000004e5 is located 1 bytes to the right of 1124-byte region [0x619000000080,0x6190000004e4) allocated by thread T0 here: #0 0x7f9d007fdb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x5618aeed0d6b in ReadJpegSections jpgfile.c:173 SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:325 in Get16u Shadow bytes around the buggy address: 0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8090: 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa 0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==33010==ABORTING ** Affects: jhead (Ubuntu) Importance: Undecided Status: New ** Attachment added: "poc file" https://bugs.launchpad.net/bugs/1921303/+attachment/5480697/+files/poc3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921303 Title: heap overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1921303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs