CVE-2020-24222: ffjpeg "jfif_decode" function segment fault · Issue #31 · rockcarry/ffjpeg

There is a segment fault in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe3c0) at jfif.c:545.

My system is ubuntu 16.04.6 amd64. I compiled the lastest version of ffjpeg and use my fuzzer to fuzz it by using the command ling:
ffjpeg -d [file_name]

I got a crash sample that could cause a segment fault.

The sample is attached below.

yang@yang-HP-ZHAN-99-Mobile-Workstation-G1:/MyProject/remote_test/target_src/ffjpeg/src$ gdb ./ffjpeg
GNU gdb (Ubuntu 7.11.1-0ubuntu116.5) 7.11.1
Copyright © 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show copying”
and “show warranty” for details.
This GDB was configured as "x86_64-linux-gnu".
Type “show configuration” for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type “apropos word” to search for commands related to "word"…
Reading symbols from ./ffjpeg…done.
(gdb) r -d /home/yang/crash.jpg
Starting program: /home/yang/MyProject/remote_test/target_src/ffjpeg/src/ffjpeg -d /home/yang/crash.jpg

Program received signal SIGSEGV, Segmentation fault.
0x0000000000402eb2 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe3c0) at jfif.c:545
545 yuv_to_rgb(*ysrc, *usrc, *vsrc, bdst + 2, bdst + 1, bdst + 0);
(gdb) list
540 for (j=0; jwidth; j++) {
541 int ux = j * jfif->comp_info[1].samp_factor_h / sfh_max;
542 int vx = j * jfif->comp_info[2].samp_factor_h / sfh_max;
543 usrc = yuv_datbuf[1] + uy * yuv_stride[1] + ux;
544 vsrc = yuv_datbuf[2] + vy * yuv_stride[2] + vx;
545 yuv_to_rgb(*ysrc, *usrc, *vsrc, bdst + 2, bdst + 1, bdst + 0);
546 bdst += 3;
547 ysrc += 1;
548 }
549 bdst -= jfif->width * 3;
(gdb)

We used ASAN to identify crash type.
==12023==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1c5c6da24c at pc 0x000000405d2d bp 0x7ffe6131cc00 sp 0x7ffe6131cbf0
READ of size 4 at 0x7f1c5c6da24c thread T0
#0 0x405d2c in jfif_decode /home/aota04/MC_xxfuzz/test/ffjpeg/build_asan/src/jfif.c:545
#1 0x401233 in main (/home/aota04/MC_xxfuzz/test/ffjpeg/build_asan/src/ffjpeg+0x401233)
#2 0x7f1c5b1f383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#3 0x4010c8 in _start (/home/aota04/MC_xxfuzz/test/ffjpeg/build_asan/src/ffjpeg+0x4010c8)

0x7f1c5c6da24c is located 0 bytes to the right of 141900-byte region [0x7f1c5c6b7800,0x7f1c5c6da24c)
allocated by thread T0 here:
#0 0x7f1c5b635602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x404c96 in jfif_decode /home/aota04/MC_xxfuzz/test/ffjpeg/build_asan/src/jfif.c:442
#2 0x401233 in main (/home/aota04/MC_xxfuzz/test/ffjpeg/build_asan/src/ffjpeg+0x401233)
#3 0x7f1c5b1f383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota04/MC_xxfuzz/test/ffjpeg/build_asan/src/jfif.c:545 jfif_decode
Shadow bytes around the buggy address:
0x0fe40b8d33f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe40b8d3400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe40b8d3410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe40b8d3420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe40b8d3430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe40b8d3440: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa
0x0fe40b8d3450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe40b8d3460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe40b8d3470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe40b8d3480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe40b8d3490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05