search

tjko / jpeginfo

jpeginfo - prints information and tests integrity of JPEG/JFIF files
http://www.iki.fi/tjko/projects.html
GNU General Public License v3.0
139 stars 17 forks source link

[BUG]: ERROR heap-buffer-overflow #13

Closed SophrosyneX closed 1 year ago

SophrosyneX commented 2 years ago

Crash Inputs

Here is the files (3 in total) that trigger the error - jpeginfo_asan.zip

Bug Description:

When executing jpeginfo (new release version) with the file inputs and parameter "-c -C -l", the program terminates with Nonfatal Error shown below.

 Corrupt JPEG data: 85 extraneous bytes before marker 0xdb  227 x 149  24bit n/a   N    5681 /jpeginfo/msan/crashes/2  Quantization table 0x00 was not defined  /jpeginfo/msan/crashes/2 [ERROR]

Then I apply ASan (Memory Sanitizer ) to check for memory errors and the error report is as follows.

=================================================================
==50542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000058 at pc 0x000000435bd9 bp 0x7fffea41be70 sp 0x7fffea41b5f8
READ of size 6 at 0x606000000058 thread T0
    #0 0x435bd8 in __interceptor_memcmp (/data/Deter-Study/fuzzbench/sanitizer/jpeginfo_asan/jpeginfo_asan+0x435bd8)
    #1 0x4f6e9d in main /jpeginfo/jpeginfo.c:313:13
    #2 0x7fea571a1c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #3 0x41ae29 in _start (/jpeginfo_asan/jpeginfo_asan+0x41ae29)

0x606000000058 is located 0 bytes to the right of 56-byte region [0x606000000020,0x606000000058)
allocated by thread T0 here:
    #0 0x4c67d3 in malloc (/jpeginfo_asan/jpeginfo_asan+0x4c67d3)
    #1 0x511f7b in alloc_large /jpeg-9c/jmemmgr.c:363:30

SUMMARY: AddressSanitizer: heap-buffer-overflow (/jpeginfo_asan/jpeginfo_asan+0x435bd8) in __interceptor_memcmp
Shadow bytes around the buggy address:
  0x0c0c7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0c7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==50542==ABORTING

Step to Reproduce

tjko commented 1 year ago

Thanks, looks like memcmp() may have read past end of the buffer in some circumstances.

99f8bda3a772d031fd5d9e5aec8e5fe7769ad8d3 should fix this.