Closed shijiameng closed 1 year ago
bitbank2
commented
1 year ago I'm not very motivated to spend time worrying about potential vulnerabilities on software meant to run on embedded devices. Your labels of "buggy code" don't demonstrate any specific bugs. Do you have any proposed solutions?
shijiameng
commented
1 year ago Hello,
I'm sorry for the unclear illustration. I explain these bugs here again.
All these bugs are caused by corrupted JPEG header and missing the correctness check. Taking bug 1 as an example, quant_tbl_no is parsed from JPEG header. However, neither the correctness check of this value nor bound check is missing in the code L3276-L3278 of source file jpeg.inl. Therefore, this bug can be exploited by a corrupted JPEG file to overread the JPEGIMAGE::sQuantTable and there is a risk of leaking the data (e.g., perhaps some sensitive data) stored in the adjacent memory. Similarly, Bug 2 and Bug 3 might cause buffer overread and leaking the data in adjacent memory as well.
These bugs were found by fuzzing the library. I will make a pull request to help fix these bugs.
bitbank2
commented
1 year ago Your illustration was not unclear; I understand there are vulnerabilities. What I'm saying is this:
Hello,
I found three potential vulnerabilities and report them in here.
Bug 1. Buffer overflow on
JPEGIMAGE::sQuantTabledue to corrupted quantization table selector (i.e.,pJPEG->JPCI[n].quant_tbl_no). Buggy code:https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3276 https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3277 https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3278
Bug 2. Buffer overflow on
JPEGIMAGE::usHuffACfield due to corruptedpJPEG->ucHufftableUsedfield. Buggy code:https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L1033
Bug 3. Buffer overflow on
JPEGIMAGE::ucFileBufdue to corrupted JPEG header. Buggy code:https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L1387