Headline
CVE-2023-46362: heap-use-after-free in jbig2enc via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc. · Issue #84 · agl/jbig2enc
jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc.
heap-use-after-free in jbig2enc****Description
jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc. This vulnerability can lead to a Denial of Service (DoS).
ASAN Log
./src/jbig2 -s -a -p Poc1jbig2enc
================================================================= ==1464517==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000015470 at pc 0x555555560b51 bp 0x7fffffffdf70 sp 0x7fffffffdf60 READ of size 4 at 0x603000015470 thread T0 #0 0x555555560b50 in remove_templates /test2/jbig2enc/src/jbig2enc.cc:248 #1 0x555555562efd in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:484 #2 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492 #3 0x7ffff6c1f082 in __libc_start_main …/csu/libc-start.c:308 #4 0x55555555bf4d in _start (/test2/jbig2enc/src/jbig2+0x7f4d)
0x603000015470 is located 16 bytes inside of 24-byte region [0x603000015460,0x603000015478) freed by thread T0 here: #0 0x7ffff769251f in operator delete(void*) …/…/…/…/src/libsanitizer/asan/asan_new_delete.cc:165 #1 0x55555557a4f5 in __gnu_cxx::new_allocator<std::_List_node<int> >::deallocate(std::_List_node<int>*, unsigned long) (/test2/jbig2enc/src/jbig2+0x264f5) #2 0x5555555778f3 in std::allocator_traits<std::allocator<std::_List_node<int> > >::deallocate(std::allocator<std::_List_node<int> >&, std::_List_node<int>*, unsigned long) (/test2/jbig2enc/src/jbig2+0x238f3) #3 0x555555571fc7 in std::__cxx11::_List_base<int, std::allocator<int> >::_M_put_node(std::_List_node<int>*) (/test2/jbig2enc/src/jbig2+0x1dfc7) #4 0x55555556e28e in std::__cxx11::list<int, std::allocator<int> >::_M_erase(std::_List_iterator<int>) (/test2/jbig2enc/src/jbig2+0x1a28e) #5 0x55555556c1f4 in std::__cxx11::list<int, std::allocator<int> >::pop_back() (/test2/jbig2enc/src/jbig2+0x181f4) #6 0x555555560ba2 in remove_templates /test2/jbig2enc/src/jbig2enc.cc:251 #7 0x555555562efd in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:484 #8 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492 #9 0x7ffff6c1f082 in __libc_start_main …/csu/libc-start.c:308
previously allocated by thread T0 here: #0 0x7ffff7691587 in operator new(unsigned long) …/…/…/…/src/libsanitizer/asan/asan_new_delete.cc:104 #1 0x55555557b669 in __gnu_cxx::new_allocator<std::_List_node<int> >::allocate(unsigned long, void const*) (/test2/jbig2enc/src/jbig2+0x27669) #2 0x55555557a524 in std::allocator_traits<std::allocator<std::_List_node<int> > >::allocate(std::allocator<std::_List_node<int> >&, unsigned long) (/test2/jbig2enc/src/jbig2+0x26524) #3 0x555555577918 in std::__cxx11::_List_base<int, std::allocator<int> >::_M_get_node() (/test2/jbig2enc/src/jbig2+0x23918) #4 0x55555557236d in std::_List_node<int>* std::__cxx11::list<int, std::allocator<int> >::_M_create_node<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x1e36d) #5 0x55555556e99f in void std::__cxx11::list<int, std::allocator<int> >::_M_insert<int const&>(std::_List_iterator<int>, int const&) (/test2/jbig2enc/src/jbig2+0x1a99f) #6 0x555555577cf2 in void std::__cxx11::list<int, std::allocator<int> >::emplace_back<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x23cf2) #7 0x5555555728f2 in void std::__cxx11::list<int, std::allocator<int> >::_M_initialize_dispatch<std::_List_const_iterator<int> >(std::_List_const_iterator<int>, std::_List_const_iterator<int>, std::__false_type) (/test2/jbig2enc/src/jbig2+0x1e8f2) #8 0x55555556ebe7 in std::__cxx11::list<int, std::allocator<int> >::list(std::__cxx11::list<int, std::allocator<int> > const&) (/test2/jbig2enc/src/jbig2+0x1abe7) #9 0x55555556cbb6 in std::pair<unsigned int, std::__cxx11::list<int, std::allocator<int> > >::pair<int&, std::__cxx11::list<int, std::allocator<int> >&, true>(int&, std::__cxx11::list<int, std::allocator<int> >&) (/test2/jbig2enc/src/jbig2+0x18bb6) #10 0x555555562cba in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:471 #11 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492 #12 0x7ffff6c1f082 in __libc_start_main …/csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free /test2/jbig2enc/src/jbig2enc.cc:248 in remove_templates Shadow bytes around the buggy address: 0x0c067fffaa30: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00 0x0c067fffaa40: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 0x0c067fffaa50: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa 0x0c067fffaa60: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00 0x0c067fffaa70: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa =>0x0c067fffaa80: fd fd fd fa fa fa fd fd fd fa fa fa fd fd[fd]fa 0x0c067fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffaad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1464517==ABORTING
Reproduction
git clone https://github.com/agl/jbig2enc.git cd jbig2enc apt install libleptonica-dev ./autogen.sh CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure --disable-shared make -j24
./src/jbig2 -s -a -p Poc1jbig2enc
PoC
Poc1jbig2enc: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/Poc1jbig2enc
Version
root@38ad1e4b9d16:/test2/jbig2enc# ./src/jbig2 --version jbig2enc 0.28
Reference
https://github.com/agl/jbig2enc
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Credit
Zeng Yunxiang