Closed shijiameng closed 1 year ago
I'm not very motivated to spend time worrying about potential vulnerabilities on software meant to run on embedded devices. Your labels of "buggy code" don't demonstrate any specific bugs. Do you have any proposed solutions?
Hello,
I'm sorry for the unclear illustration. I explain these bugs here again.
All these bugs are caused by corrupted JPEG header and missing the correctness check. Taking bug 1 as an example, quant_tbl_no
is parsed from JPEG header. However, neither the correctness check of this value nor bound check is missing in the code L3276-L3278 of source file jpeg.inl
. Therefore, this bug can be exploited by a corrupted JPEG file to overread the JPEGIMAGE::sQuantTable
and there is a risk of leaking the data (e.g., perhaps some sensitive data) stored in the adjacent memory. Similarly, Bug 2 and Bug 3 might cause buffer overread and leaking the data in adjacent memory as well.
These bugs were found by fuzzing the library. I will make a pull request to help fix these bugs.
Your illustration was not unclear; I understand there are vulnerabilities. What I'm saying is this:
Hello,
I found three potential vulnerabilities and report them in here.
Bug 1. Buffer overflow on
JPEGIMAGE::sQuantTable
due to corrupted quantization table selector (i.e.,pJPEG->JPCI[n].quant_tbl_no
). Buggy code:https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3276 https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3277 https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3278
Bug 2. Buffer overflow on
JPEGIMAGE::usHuffAC
field due to corruptedpJPEG->ucHufftableUsed
field. Buggy code:https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L1033
Bug 3. Buffer overflow on
JPEGIMAGE::ucFileBuf
due to corrupted JPEG header. Buggy code:https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L1387