[Bug 1921303] [NEW] heap overflow

XiaoyuHe Wed, 24 Mar 2021 19:05:52 -0700

Public bug reported:

# enviroment
ubuntu 18.04
./jhead poc


# version
3.04

# asan out
=================================================================
==33010==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6190000004e5 at pc 0x5618aeedc758 bp 0x7ffe61a1d410 sp 0x7ffe61a1d400
READ of size 1 at 0x6190000004e5 thread T0
    #0 0x5618aeedc757 in Get16u exif.c:325
    #1 0x5618aeef223e in ProcessGpsInfo gpsinfo.c:62
    #2 0x5618aeee54d5 in ProcessExifDir exif.c:866
    #3 0x5618aeee5529 in ProcessExifDir exif.c:852
    #4 0x5618aeee695a in process_EXIF exif.c:1041
    #5 0x5618aeed2382 in ReadJpegSections jpgfile.c:287
    #6 0x5618aeed390e in ReadJpegSections jpgfile.c:126
    #7 0x5618aeed390e in ReadJpegFile jpgfile.c:379
    #8 0x5618aeec966c in ProcessFile jhead.c:905
    #9 0x5618aeec4b2e in main jhead.c:1756
    #10 0x7f9cfffb1bf6 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x5618aeec7279 in _start (/home/fuzz/jhead-3.04/jhead+0x12279)

0x6190000004e5 is located 1 bytes to the right of 1124-byte region 
[0x619000000080,0x6190000004e4)
allocated by thread T0 here:
    #0 0x7f9d007fdb40 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x5618aeed0d6b in ReadJpegSections jpgfile.c:173

SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:325 in Get16u
Shadow bytes around the buggy address:
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090: 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==33010==ABORTING

** Affects: jhead (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "poc file"
   https://bugs.launchpad.net/bugs/1921303/+attachment/5480697/+files/poc3

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921303

Title:
  heap overflow

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1921303/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921303] [NEW] heap overflow

Reply via email to