search

tjko / jpegoptim

jpegoptim - utility to optimize/compress JPEG files
http://www.iki.fi/tjko/projects.html
GNU General Public License v3.0
1.59k stars 117 forks source link

heap buffer overflow in jpegoptim #45

Closed bestshow closed 7 years ago

bestshow commented 7 years ago

on RELEASE.1.4.4

jpegoptim --dest=tempoutdir $FILE

================================================================= heap-buffer-overflow on address 0x60800000bff7 at pc 0x7fb50428558f bp 0x7ffc931d2dc0 sp 0x7ffc931d2570 READ of size 29 at 0x60800000bff7 thread T0

0 0x7fb50428558e in __interceptor_memcmp ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:414

#1 0x404d73 in main /home/haojun/Downloads/testopensourcecode/jpegoptim-master/jpegoptim.c:579
#2 0x7fb503901b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#3 0x4024e8  (/home/haojun/Downloads/testopensourcecode/jpegoptim-master/jpegoptim+0x4024e8)

0x60800000bff7 is located 0 bytes to the right of 87-byte region [0x60800000bfa0,0x60800000bff7) allocated by thread T0 here:

0 0x7fb5042b9bb8 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62

#1 0x7fb503ccdbe3  (/lib64/libjpeg.so.62+0x2cbe3)
#2 0x60f00000ef4f  (<unknown module>)

heap-buffer-overflow ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:414 in __interceptor_memcmp Shadow bytes around the buggy address: 0x0c107fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[07]fa 0x0c107fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31389==ABORTING

testcase: https://github.com/bestshow/p0cs/blob/master/2215-heap-buffer-overflow-jpegoptim

Author: ADLab of Venustech

tjko commented 7 years ago

How is this "buffer overflow" exactly? memcmp() just reads doesn't write anything...

tjko commented 7 years ago

Buffer size checks added before calls to memcmp(): be48eaff75d1c50f9a8e9a3a5159eb00c2c46935

(testcase shouldn't "work" anymore?)

bestshow commented 7 years ago

The testcase works.