CVE-2019-15145: DjVuLibre / Bugs / #298 Invalid Memory Read when calling processing jb2 images

• Summary
• Files
• Reviews
• Support
• Wiki
• Mailing Lists
• Tickets ▾
  • Patches
  • Feature Requests
  • Bugs
• Discussion
• Git ▾
  • Djview-git
  • Code
  • Djvulibre-git
  • Gsdjvu-git
  • Old-djvu22-git
  • Old-djvu3-git
  • Www-git

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2019-04-09

Created: 2019-04-03

Private: No

When running cjb2 $FILE /dev/null, it may trigger an invalid read error at JB2Image.h:741 or jb2tune.cpp:294.

ASAN:DEADLYSIGNAL ================================================================= ==10212==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f49de7949d2 bp 0x7ffccf4a33b0 sp 0x7ffccf4a3390 T0) ==10212==The signal is caused by a READ memory access. ==10212==Hint: address points to the zero page. #0 0x7f49de7949d1 in JB2Dict::JB2Codec::get_direct_context(unsigned char const*, unsigned char const*, unsigned char const*, int) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.h:741 #1 0x7f49de792ab4 in JB2Dict::JB2Codec::Encode::code_bitmap_directly(GBitmap&, int, int, unsigned char*, unsigned char*, unsigned char*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:304 #2 0x7f49de79b2a0 in JB2Dict::JB2Codec::code_bitmap_directly(GBitmap&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.cpp:815 #3 0x7f49de79d78b in JB2Dict::JB2Codec::code_record(int&, GP<JB2Image> const&, JB2Shape*, JB2Blit*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.cpp:1143 #4 0x7f49de793e2d in JB2Dict::JB2Codec::Encode::code(GP<JB2Image> const&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:494 #5 0x7f49de7950bd in JB2Dict::JB2Codec::Encode::code(JB2Image*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:100 #6 0x7f49de791fa8 in JB2Image::encode(GP<ByteStream> const&) const /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:152 #7 0x557743e8b800 in cjb2(GURL const&, GURL const&, cjb2opts&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:894 #8 0x557743e8c6c6 in main /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:985 #9 0x7f49dd585b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #10 0x557743e849d9 in _start (/home/hongxu/FOT/djvulibre/djvu-djvulibre-git/install/bin/cjb2+0x79d9)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.h:741 in JB2Dict::JB2Codec::get_direct_context(unsigned char const*, unsigned char const*, unsigned char const*, int) ==10212==ABORTING

or

ASAN:DEADLYSIGNAL ================================================================= ==15504==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x561a047508e4 bp 0x7fff7e880970 sp 0x7fff7e8808a0 T0) ==15504==The signal is caused by a READ memory access. ==15504==Hint: address points to the zero page. #0 0x561a047508e3 in tune_jb2image /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/jb2tune.cpp:294 #1 0x561a04751078 in tune_jb2image_lossless(JB2Image*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/jb2tune.cpp:377 #2 0x561a0474928a in cjb2(GURL const&, GURL const&, cjb2opts&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:864 #3 0x561a0474a6c6 in main /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:985 #4 0x7f52a0787b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #5 0x561a047429d9 in _start (/home/hongxu/FOT/djvulibre/djvu-djvulibre-git/install/bin/cjb2+0x79d9)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/jb2tune.cpp:294 in tune_jb2image ==15504==ABORTING

This sometimes also affects the cpaldjvu utility.

8 Attachments

Discussion

Log in to post a comment.