Double-free vulnerability in jpegoptim

[glen-mac]

I have come across a double free in jpegoptim. Please see the ASAN report below.

The crash file test case can be found here.

This was found in commit d23abf2c59692e0e3638ce8c89d98a3628c686b7.

The command to compile the binary is as follows: CC=clang CXX=clang++ CFLAGS='-fsanitize=address,undefined -g -O2' CXXFLAGS=$CFLAGS make

This double-free could be used to assist in exploiting the software via heap manipulation resulting in code execution.

=================================================================
==24775==ERROR: AddressSanitizer: attempting double-free on 0x62d00000a400 in thread T0:
    #0 0x4c4780  (/root/jpegoptim/jpegoptim_afl+0x4c4780)
    #1 0x4f9c60  (/root/jpegoptim/jpegoptim_afl+0x4f9c60)
    #2 0x7f9a700c1f44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #3 0x41a765  (/root/jpegoptim/jpegoptim_afl+0x41a765)

0x62d00000a400 is located 0 bytes inside of 39485-byte region [0x62d00000a400,0x62d000013e3d)
freed by thread T0 here:
    #0 0x4c4e6d  (/root/jpegoptim/jpegoptim_afl+0x4c4e6d)
    #1 0x4faf9b  (/root/jpegoptim/jpegoptim_afl+0x4faf9b)

previously allocated by thread T0 here:
    #0 0x4c4ac8  (/root/jpegoptim/jpegoptim_afl+0x4c4ac8)
    #1 0x4f7078  (/root/jpegoptim/jpegoptim_afl+0x4f7078)
    #2 0x7f9a700c1f44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: double-free (/root/jpegoptim/jpegoptim_afl+0x4c4780)
==24775==ABORTING

[tjko]

Thanks, looks like recent merge 139a558edfda4d59e9404a622e031dd1dcac189e introduced this. Fix has been checked-in.

[tjko]

Issue wasn't technically "double-free" but realloc() and free() using now stale pointer...

Fix was to update the pointer to the buffer after realloc(): 5b38e8e1176ae0e81daf0a2cd6947f5a811678ef