Public bug reported: # enviroment ubuntu 18.04 ./jhead poc
# version 3.04 # asan out ==39578==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000009cb at pc 0x56303aa75a88 bp 0x7fffb2c2ccf0 sp 0x7fffb2c2cce0 READ of size 1 at 0x61d0000009cb thread T0 #0 0x56303aa75a87 in Get32s exif.c:339 #1 0x56303aa8bcf9 in ProcessGpsInfo gpsinfo.c:138 #2 0x56303aa7e4d5 in ProcessExifDir exif.c:866 #3 0x56303aa7f95a in process_EXIF exif.c:1041 #4 0x56303aa6b382 in ReadJpegSections jpgfile.c:287 #5 0x56303aa6c90e in ReadJpegSections jpgfile.c:126 #6 0x56303aa6c90e in ReadJpegFile jpgfile.c:379 #7 0x56303aa6266c in ProcessFile jhead.c:905 #8 0x56303aa5db2e in main jhead.c:1756 #9 0x7f21c1797bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #10 0x56303aa60279 in _start (/home/fuzz/jhead-3.04/jhead+0x12279) 0x61d0000009cb is located 0 bytes to the right of 2379-byte region [0x61d000000080,0x61d0000009cb) allocated by thread T0 here: #0 0x7f21c1fe3b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x56303aa69d6b in ReadJpegSections jpgfile.c:173 SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:339 in Get32s Shadow bytes around the buggy address: 0x0c3a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a7fff8130: 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa fa 0x0c3a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==39578==ABORTING ** Affects: jhead (Ubuntu) Importance: Undecided Status: New ** Attachment added: "poc file" https://bugs.launchpad.net/bugs/1921302/+attachment/5480692/+files/poc2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921302 Title: heap overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1921302/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs