Headline
CVE-2019-15145: DjVuLibre / Bugs / #298 Invalid Memory Read when calling processing jb2 images
DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
- Summary
- Files
- Reviews
- Support
- Wiki
- Mailing Lists
- Tickets ▾
- Patches
- Feature Requests
- Bugs
- Discussion
- Git ▾
- Djview-git
- Code
- Djvulibre-git
- Gsdjvu-git
- Old-djvu22-git
- Old-djvu3-git
- Www-git
Menu ▾ ▴
Status: closed
Owner: nobody
Labels: None
Priority: 5
Updated: 2019-04-09
Created: 2019-04-03
Private: No
When running cjb2 $FILE /dev/null
, it may trigger an invalid read error at JB2Image.h:741
or jb2tune.cpp:294
.
ASAN:DEADLYSIGNAL ================================================================= ==10212==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f49de7949d2 bp 0x7ffccf4a33b0 sp 0x7ffccf4a3390 T0) ==10212==The signal is caused by a READ memory access. ==10212==Hint: address points to the zero page. #0 0x7f49de7949d1 in JB2Dict::JB2Codec::get_direct_context(unsigned char const*, unsigned char const*, unsigned char const*, int) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.h:741 #1 0x7f49de792ab4 in JB2Dict::JB2Codec::Encode::code_bitmap_directly(GBitmap&, int, int, unsigned char*, unsigned char*, unsigned char*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:304 #2 0x7f49de79b2a0 in JB2Dict::JB2Codec::code_bitmap_directly(GBitmap&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.cpp:815 #3 0x7f49de79d78b in JB2Dict::JB2Codec::code_record(int&, GP<JB2Image> const&, JB2Shape*, JB2Blit*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.cpp:1143 #4 0x7f49de793e2d in JB2Dict::JB2Codec::Encode::code(GP<JB2Image> const&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:494 #5 0x7f49de7950bd in JB2Dict::JB2Codec::Encode::code(JB2Image*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:100 #6 0x7f49de791fa8 in JB2Image::encode(GP<ByteStream> const&) const /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2EncodeCodec.cpp:152 #7 0x557743e8b800 in cjb2(GURL const&, GURL const&, cjb2opts&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:894 #8 0x557743e8c6c6 in main /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:985 #9 0x7f49dd585b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #10 0x557743e849d9 in _start (/home/hongxu/FOT/djvulibre/djvu-djvulibre-git/install/bin/cjb2+0x79d9)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/libdjvu/JB2Image.h:741 in JB2Dict::JB2Codec::get_direct_context(unsigned char const*, unsigned char const*, unsigned char const*, int) ==10212==ABORTING
or
ASAN:DEADLYSIGNAL ================================================================= ==15504==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x561a047508e4 bp 0x7fff7e880970 sp 0x7fff7e8808a0 T0) ==15504==The signal is caused by a READ memory access. ==15504==Hint: address points to the zero page. #0 0x561a047508e3 in tune_jb2image /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/jb2tune.cpp:294 #1 0x561a04751078 in tune_jb2image_lossless(JB2Image*) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/jb2tune.cpp:377 #2 0x561a0474928a in cjb2(GURL const&, GURL const&, cjb2opts&) /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:864 #3 0x561a0474a6c6 in main /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/cjb2.cpp:985 #4 0x7f52a0787b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #5 0x561a047429d9 in _start (/home/hongxu/FOT/djvulibre/djvu-djvulibre-git/install/bin/cjb2+0x79d9)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hongxu/FOT/djvulibre/djvu-djvulibre-git/tools/jb2tune.cpp:294 in tune_jb2image ==15504==ABORTING
This sometimes also affects the cpaldjvu
utility.
8 Attachments
Discussion
Log in to post a comment.