Headline
CVE-2021-46310: DjVuLibre / Bugs / #345 Divide By Zero in djvulibre-3.5.28/libdjvu/IW44Image.cpp
An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.
Divide By Zero in djvulibre-3.5.28/libdjvu/IW44Image.cpp
Command: djvups POC
Result:floating point exception
Bt:
Thread 4 “djvups” received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0x7ffff6926700 (LWP 2411925)]
0x000055555563bbdf in DJVU::IW44Image::Map::image (this=0x7fffe8001640, img8=0x0, rowsize=0, pixsep=3, fast=0) at IW44Image.cpp:679
679 if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x10
RCX 0x0
RDX 0x0
RDI 0x7fffe8001640 —▸ 0x7fffe8001ba0 —▸ 0x7fffe80019d0 —▸ 0x7fffe8001440 —▸ 0x7fffe8001390 ◂— …
RSI 0x20
R8 0x0
R9 0x5555556b6c40 (stdout@@GLIBC_2.2.5) —▸ 0x7ffff7bb56a0 (IO_2_1_stdout) ◂— 0xfbad2a84
R10 0xa
R11 0x7fffe8000080 —▸ 0x7fffe80028f0 ◂— 0x0
R12 0x7ffff6925bc0 ◂— 0x0
R13 0x7fffec001030 —▸ 0x5555556b3898 —▸ 0x55555563ac40 (DJVU::IWPixmap::~IWPixmap()) ◂— endbr64
R14 0x0
R15 0x0
RBP 0x0
RSP 0x7ffff69252a0 ◂— 0x300000000
RIP 0x55555563bbdf ◂— div rcx
───────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
► 0x55555563bbdf div rcx
↓
0x55555563bbdf div rcx
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/djvulibre-3.5.28/libdjvu/IW44Image.cpp
674 IW44Image::Map::image(signed char img8, int rowsize, int pixsep, int fast)
675 {
676 // Allocate reconstruction buffer
677 short data16;
678 size_t sz = bw * bh;
► 679 if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
680 G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
681 GPBuffer<short> gdata16(data16,sz);
682 // Copy coefficients
683 int i;
684 short p = data16;
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffff69252a0 ◂— 0x300000000
01:0008│ 0x7ffff69252a8 ◂— 0x0
02:0010│ 0x7ffff69252b0 ◂— 0x0
03:0018│ 0x7ffff69252b8 —▸ 0x7fffe80019d0 —▸ 0x7fffe8001440 —▸ 0x7fffe8001390 —▸ 0x7fffe8001110 ◂— …
04:0020│ 0x7ffff69252c0 —▸ 0x7ffff6925310 ◂— 0x6600000001
05:0028│ 0x7ffff69252c8 ◂— 0x0
06:0030│ 0x7ffff69252d0 ◂— 0x4200000000000000
07:0038│ 0x7ffff69252d8 ◂— 0x4
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────────────
► f 0 0x55555563bbdf
f 1 0x55555563c28b DJVU::IWPixmap::get_pixmap()+155
f 2 0x5555555d33b7
f 3 0x5555555d42da
f 4 0x5555555d4978 DJVU::DjVuFile::decode_func()+200
f 5 0x5555555d4b65 DJVU::DjVuFile::static_decode_func(void)+69
f 6 0x555555621bb9 DJVU::GThread::start(void*)+57
f 7 0x7ffff7f10609 start_thread+217
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p bw
$1 = 0</short>