Headline
CVE-2023-2804: heap-buffer-overflow at /libjpeg-turbo/jdmrgext.c:126 in h2v2_merged_upsample_internal() (SIGSEGV) · Issue #675 · libjpeg-turbo/libjpeg-turbo
A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.
Have you searched the existing issues (both open and closed) in the libjpeg-turbo issue tracker to ensure that this bug report is not a duplicate?
Yes
Does this bug report describe one of the two known and unsolvable issues with the JPEG format?
No
Clear and concise description of the bug:
We found a poc which can cause djpeg crash when fuzz testing.
AddressSanitizer report it as heap-buffer-overflow at /libjpeg-turbo/jdmrgext.c:126 in h2v2_merged_upsample_internal()
Steps to reproduce the bug (using only libjpeg-turbo):
Normal run:
$ /home/cl3nn0/Downloads/test/libjpeg-turbo/build_normal/djpeg -nosmooth ./poc_tmin124
P6
12336 12336
4095
Premature end of JPEG file
[1] 3406823 segmentation fault /home/cl3nn0/Downloads/test/libjpeg-turbo/build_normal/djpeg -nosmooth
Asan report:
$ /home/cl3nn0/Downloads/libjpeg-turbo/build_asan/djpeg -nosmooth ./poc_tmin124
P6
12336 12336
4095
Premature end of JPEG file
=================================================================
==319734==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000009cb0 at pc 0x7f4497da501e bp 0x7ffe7dce5330 sp 0x7ffe7dce5328
READ of size 8 at 0x62d000009cb0 thread T0
#0 0x7f4497da501d in h2v2_merged_upsample_internal /home/cl3nn0/Downloads/libjpeg-turbo/jdmrgext.c:126:19
#1 0x7f4497da501d in h2v2_merged_upsample /home/cl3nn0/Downloads/libjpeg-turbo/jdmerge.c:383:5
#2 0x7f4497d9d95b in merged_2v_upsample /home/cl3nn0/Downloads/libjpeg-turbo/jdmerge.c:260:5
#3 0x7f4497d9c908 in process_data_simple_main /home/cl3nn0/Downloads/libjpeg-turbo/jdmainct.c:317:3
#4 0x7f4497d6b94f in jpeg12_read_scanlines /home/cl3nn0/Downloads/libjpeg-turbo/jdapistd.c:333:3
#5 0x4cab55 in main /home/cl3nn0/Downloads/libjpeg-turbo/djpeg.c:868:25
#6 0x7f44977f8082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41d53d in _start (/home/cl3nn0/Downloads/libjpeg-turbo/build_asan/djpeg+0x41d53d)
0x62d000009cb0 is located 1265 bytes to the right of 37823-byte region [0x62d000000400,0x62d0000097bf)
allocated by thread T0 here:
#0 0x49879d in malloc (/home/cl3nn0/Downloads/libjpeg-turbo/build_asan/djpeg+0x49879d)
#1 0x7f4497d09f93 in alloc_small /home/cl3nn0/Downloads/libjpeg-turbo/jmemmgr.c:317:33
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/cl3nn0/Downloads/libjpeg-turbo/jdmrgext.c:126:19 in h2v2_merged_upsample_internal
Shadow bytes around the buggy address:
0x0c5a7fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5a7fff9390: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
0x0c5a7fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==319734==ABORTING
Image(s) needed in order to reproduce the bug (if applicable):
poc_tmin124.zip
Expected behavior:
No crash.
Observed behavior:
djpeg crashes with SIGSEGV.
Platform(s) (compiler version, operating system version, CPU) on which the bug was observed:
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Ubuntu 20.04.4 LTS
Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
libjpeg-turbo release(s), commit(s), or branch(es) in which the bug was observed (always test the tip of the main branch or the latest stable pre-release to verify that the bug hasn’t already been fixed):
$ git log --oneline -1
cc8c6d36 (HEAD -> main, origin/main, origin/HEAD) tjbenchtest: Test all subsampling types
$ /home/cl3nn0/Downloads/libjpeg-turbo/build_asan/djpeg -version
libjpeg-turbo version 2.1.92 (build 20230325)
If the bug is a regression, the specific commit that introduced the regression (use git bisect to determine this):
Additional information:
This bug is not reproducible with the 2.1.x branch.