search

tjko / jpegoptim

jpegoptim - utility to optimize/compress JPEG files
http://www.iki.fi/tjko/projects.html
GNU General Public License v3.0
1.56k stars 116 forks source link

Heap-buffer-overflow n function optimize at jpegoptim.c:691:12 #132

Closed blu3sh0rk closed 1 year ago

blu3sh0rk commented 1 year ago

Desctiption

A heap-buffer-overflow has occurred when running program jpegoptim in function optimize at jpegoptim.c:691:12

Version

$ git log
commit f20f0e8775335d9f44efc65285a6ca85451e2036 (HEAD -> master, tag: v1.5.2, origin/master, origin/HEAD)
Author: Timo Kokkonen <tjko@iki.fi>
Date:   Fri Feb 10 18:00:41 2023 -0800

    Bump version to v1.5.2

Steps to reproduce

$ git clone https://github.com/tjko/jpegoptim.git jpegoptim-g
$ cd jpegoptim-g
$ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build
$ build/bin/jpegoptim --stdout stdout-heapoverflow

=================================================================
==3544758==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010800 at pc 0x0000002708ae bp 0x7ffed5edb070 sp 0x7ffed5eda838
READ of size 88156 at 0x631000010800 thread T0
    #0 0x2708ad in fwrite (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2708ad)
    #1 0x30dbc3 in optimize /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1093:8
    #2 0x3120e7 in main /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1369:10
    #3 0x7f588cf2d082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x2584bd in _start (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2584bd)

0x631000010800 is located 0 bytes to the right of 65536-byte region [0x631000000800,0x631000010800)
allocated by thread T0 here:
    #0 0x2d371d in malloc (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2d371d)
    #1 0x30ad0f in optimize /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:691:12
    #2 0x3120e7 in main /home/lzy/fuzz/oss/jpegoptim-g/jpegoptim.c:1369:10
    #3 0x7f588cf2d082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/lzy/fuzz/oss/jpegoptim-g/jpegoptim+0x2708ad) in fwrite
Shadow bytes around the buggy address:
  0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3544758==ABORTING

POC

https://github.com/blu3sh0rk/Fuzzing-crash/blob/main/jpegoptim/stdout-heapoverflow

Code in function optimize at jpegoptim.c:691:12

/* Prepare to decompress */
    if (stdin_mode || stdout_mode) {
        if (inbuffer)
            free(inbuffer);
        inbuffersize=65536;
        inbuffer=malloc(inbuffersize);     <---- line 691
        if (!inbuffer)
            fatal("not enough memory");
    }
    global_error_counter=0;
    jpeg_save_markers(&dinfo, JPEG_COM, 0xffff);
    for (j=0;j<=15;j++) {
        jpeg_save_markers(&dinfo, JPEG_APP0+j, 0xffff);
    }

Environment

Ubuntu 20.04.3 LTS \n \l

IMPACT

Potentially causing DoS and RCE

tjko commented 1 year ago

Thanks for pointing this out! Looks like it can read past the end of buffer if parsing corrupt JPEG image.

Fix is now checked in: 29a073ad297a0954f5e865264e24755d0ffe53ed