Fuzzing has found an out of memory issues in OSS-Fuzz with JVM Fuzzer Jazzer in metadata-extractor. We have reviewed the finding and regarded it as security-related due to the potential of a denial of service.
The crashing input caused an out of memory issue to line 374 of the SequentialReader.java.
We would appreciate it if you could take a look at the finding. Do you see a risk that this might be exploited by untrusted input?
Part of the stack trace:
== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Out of memory (use '-Xmx1710m' to reproduce)
Caused by: java.lang.OutOfMemoryError: Java heap space
at com.drew.lang.SequentialReader.getNullTerminatedBytes(SequentialReader.java:374)
at com.drew.lang.SequentialReader.getNullTerminatedStringValue(SequentialReader.java:358)
at com.drew.lang.SequentialReader.getNullTerminatedString(SequentialReader.java:342)
at com.drew.metadata.bmp.BmpReader.readBitmapHeader(BmpReader.java:375)
at com.drew.metadata.bmp.BmpReader.readFileHeader(BmpReader.java:156)
at com.drew.metadata.bmp.BmpReader.extract(BmpReader.java:88)
at com.drew.imaging.bmp.BmpMetadataReader.readMetadata(BmpMetadataReader.java:57)
at com.drew.imaging.ImageMetadataReader.readMetadata(ImageMetadataReader.java:159)
at com.drew.imaging.ImageMetadataReader.readMetadata(ImageMetadataReader.java:124)
at com.drew.imaging.ImageMetadataReader.readMetadata(ImageMetadataReader.java:103)
at ImageMetadataReaderFuzzer.fuzzerTestOneInput(ImageMetadataReaderFuzzer.java:31)
at java.base/java.lang.invoke.LambdaForm$DMH/0x0000000800b95c40.invokeStaticInit(LambdaForm$DMH)
at java.base/java.lang.invoke.LambdaForm$MH/0x0000000800bd4040.invoke(LambdaForm$MH)
at java.base/java.lang.invoke.LambdaForm$MH/0x0000000800bd4840.invoke_MT(LambdaForm$MH)
...
Dear metadata-extractor maintainers,
Fuzzing has found an out of memory issues in OSS-Fuzz with JVM Fuzzer Jazzer in metadata-extractor. We have reviewed the finding and regarded it as security-related due to the potential of a denial of service.
The crashing input caused an out of memory issue to line 374 of the SequentialReader.java. We would appreciate it if you could take a look at the finding. Do you see a risk that this might be exploited by untrusted input?
Part of the stack trace: == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Out of memory (use '-Xmx1710m' to reproduce) Caused by: java.lang.OutOfMemoryError: Java heap space at com.drew.lang.SequentialReader.getNullTerminatedBytes(SequentialReader.java:374) at com.drew.lang.SequentialReader.getNullTerminatedStringValue(SequentialReader.java:358) at com.drew.lang.SequentialReader.getNullTerminatedString(SequentialReader.java:342) at com.drew.metadata.bmp.BmpReader.readBitmapHeader(BmpReader.java:375) at com.drew.metadata.bmp.BmpReader.readFileHeader(BmpReader.java:156) at com.drew.metadata.bmp.BmpReader.extract(BmpReader.java:88) at com.drew.imaging.bmp.BmpMetadataReader.readMetadata(BmpMetadataReader.java:57) at com.drew.imaging.ImageMetadataReader.readMetadata(ImageMetadataReader.java:159) at com.drew.imaging.ImageMetadataReader.readMetadata(ImageMetadataReader.java:124) at com.drew.imaging.ImageMetadataReader.readMetadata(ImageMetadataReader.java:103) at ImageMetadataReaderFuzzer.fuzzerTestOneInput(ImageMetadataReaderFuzzer.java:31) at java.base/java.lang.invoke.LambdaForm$DMH/0x0000000800b95c40.invokeStaticInit(LambdaForm$DMH) at java.base/java.lang.invoke.LambdaForm$MH/0x0000000800bd4040.invoke(LambdaForm$MH) at java.base/java.lang.invoke.LambdaForm$MH/0x0000000800bd4840.invoke_MT(LambdaForm$MH) ...
We have added a reproducer zip which contains a README that describes how to reproduce the issue. Reproducer zip: https://drive.google.com/file/d/1V_7Imq6t2RjLyDocozVIO4owj3aD46gM/view?usp=sharing
Fuzz target: https://github.com/google/oss-fuzz/blob/master/projects/metadata-extractor/ImageMetadataReaderFuzzer.java
OSS-Fuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59098 Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is fixed or you are the maintainer of the OSS-Fuzz project.