search

dropbox / lepton

Lepton is a tool and file format for losslessly compressing JPEGs by an average of 22%.
https://blogs.dropbox.com/tech/2016/07/lepton-image-compression-saving-22-losslessly-from-images-at-15mbs/
Apache License 2.0
5.01k stars 355 forks source link

[Bug]A heap-buffer-overflow was discovered in function aligned_dealloc():src/lepton/bitops.cc:108 #154

Closed Asteriska001 closed 2 years ago

Asteriska001 commented 2 years ago

Description

A heap-buffer-overflow was discovered in function aligned_dealloc():src/lepton/bitops.cc:108 The issue is being triggered in function reset_buffers() src/lepton/jpgcoder.cc:4373

Version

lepton v1.0-1.2.1-185-g2a08b77 (Lastest Commit) url: https://github.com/dropbox/lepton

Reproduce

Using CMAKE

mkdir -p build
cd build
export CC="gcc"
export CXX="g++"
export CFLAGS="-g -fsanitize=address"
export CXXFLAGS="-g -fsanitize=address"
cmake ..
make -j8
./lepton -unjailed ./poc b.jpg
Case 1
./lepton -unjailed ./poc b.jpg output: attached file : image1.png

Case 2
./lepton -permissive -unjailed ./poc b.jpg output: attached file : 2.png

Case 3
./lepton ./poc b.jpg output: attached file : 3.png

POC

poc file attached.

ASAN Report

lepton v1.0-1.2.1-185-g2a08b77
x: Unknown Item in header instead of ZSTART ACHIEVED 1644425153 702974
TIMING (new method): 0.005493 to first byte 0.005523 total
Read took: 0.000231
=================================================================
==3721==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffff35fe7ff at pc 0x555555584cad bp 0x7fffffffd420 sp 0x7fffffffd410
READ of size 1 at 0x7ffff35fe7ff thread T0
#0 0x555555584cac in aligned_dealloc(unsigned char*) src/lepton/bitops.cc:108
#1 0x5555555d6300 in reset_buffers() src/lepton/jpgcoder.cc:4373
#2 0x5555555bae45 in prep_for_new_file() src/lepton/jpgcoder.cc:1514
#3 0x5555555bea59 in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1890
#4 0x5555555b6555 in app_main(int, char**) src/lepton/jpgcoder.cc:941
#5 0x55555560b796 in main src/lepton/main.cc:17
#6 0x7ffff70750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#7 0x55555558045d in _start (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0x2c45d)

0x7ffff35fe7ff is located 1 bytes to the left of 4195328-byte region [0x7ffff35fe800,0x7ffff39fec00)
allocated by thread T0 here:
#0 0x7ffff769c93c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x555555670075 in custom_malloc src/vp8/util/memory.cc:68
#2 0x555555670257 in custom_calloc src/vp8/util/memory.cc:147
#3 0x555555584b4f in abitwriter::abitwriter(int, int) src/lepton/bitops.cc:86
#4 0x5555555caa75 in recode_jpeg() src/lepton/jpgcoder.cc:3326
#5 0x5555555fb808 in bool std::__invoke_impl(std::__invoke_other, bool (*&)()) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0xa7808)
#6 0x5555555f5e3b in std::enable_if >, std::is_convertible::type, bool> >::value, bool>::type std::__invoke_r(bool (*&)()) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0xa1e3b)
#7 0x5555555efa22 in std::_Function_handler::_M_invoke(std::_Any_data const&) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0x9ba22)
#8 0x5555555ea209 in std::function::operator()() const /usr/include/c++/10/bits/std_function.h:622
#9 0x5555555c02c5 in execute(std::function const&) src/lepton/jpgcoder.cc:2048
#10 0x5555555be59f in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1871
#11 0x5555555b6555 in app_main(int, char**) src/lepton/jpgcoder.cc:941
#12 0x55555560b796 in main src/lepton/main.cc:17
#13 0x7ffff70750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/lepton/bitops.cc:108 in aligned_dealloc(unsigned char*)
Shadow bytes around the buggy address:
0x10007e6b7ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x10007e6b7cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x10007e6b7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3721==ABORTING

Occurrences

bitops.cc L111-L124

References

attached files

Contact me

Any issue or problem plz contact with me.