Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37837: two bug in jpeg encoding · Issue #87 · thorfdbg/libjpeg

libjpeg commit db33a6e was discovered to contain a heap buffer overflow via LineBitmapRequester::EncodeRegion at linebitmaprequester.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

CVE
#vulnerability#ubuntu#linux#dos#git#c++#buffer_overflow#ssl

Hello, I was playing with my new fuzzer and found two bugs in jpeg’s encoding module.

Environment

Ubuntu 20.04, gcc 9.4.0, libjpeg latest commit db33a6e

Compile with gcc and AddressSanitizer.

run the program with ./jpeg -p @@ /dev/null

BUG0

jpeg Copyright (C) 2012-2018 Thomas Richter, University of Stuttgart
and Accusoft

For license conditions, see README.license for details.

=================================================================
==666872==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000f408 at pc 0x559ad43fba61 bp 0x7ffc1d504e10 sp 0x7ffc1d504e00
READ of size 4 at 0x62500000f408 thread T0
    #0 0x559ad43fba60 in YCbCrTrafo<unsigned short, 1, (unsigned char)1, 1, 0>::RGB2YCbCr(RectAngle<int> const&, ImageBitMap const* const*, int**) (/fuzz/libjpeg/crash/jpeg.asan+0x1d4a60)
    #1 0x559ad459610b in LineBitmapRequester::EncodeRegion(RectAngle<int> const&) /benchmark/libjpeg/control/linebitmaprequester.cpp:404
    #2 0x559ad42b97dd in Image::EncodeRegion(BitMapHook*, RectangleRequest const*) /benchmark/libjpeg/codestream/image.cpp:1159
    #3 0x559ad42a20d0 in JPEG::InternalProvideImage(JPG_TagItem*) /benchmark/libjpeg/interface/jpeg.cpp:813
    #4 0x559ad42a157b in JPEG::ProvideImage(JPG_TagItem*) /benchmark/libjpeg/interface/jpeg.cpp:732
    #5 0x559ad4281d5e in EncodeC(char const*, char const*, char const*, char const*, int, int, int, int, int, int, bool, bool, bool, bool, bool, bool, bool, bool, bool, bool, unsigned char, bool, bool, unsigned int, double, int, bool, bool, bool, bool, bool, bool, bool, bool, bool, int, int, int, bool, bool, bool, int, bool, char const*, char const*, char const*, int, int, int, int, bool, int, int, int, int, int, int, int, bool, bool, bool, bool, bool, bool, char const*, char const*, char const*, char const*) /benchmark/libjpeg/cmd/encodec.cpp:693
    #6 0x559ad4271517 in main /benchmark/libjpeg/cmd/main.cpp:760
    #7 0x7f910caca082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #8 0x559ad426d9ad in _start (/fuzz/libjpeg/crash/jpeg.asan+0x469ad)

Address 0x62500000f408 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/fuzz/libjpeg/crash/jpeg.asan+0x1d4a60) in YCbCrTrafo<unsigned short, 1, (unsigned char)1, 1, 0>::RGB2YCbCr(RectAngle<int> const&, ImageBitMap const* const*, int**)
Shadow bytes around the buggy address:
  0x0c4a7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff9e80: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==666872==ABORTING

poc0.zip

BUG1

jpeg Copyright (C) 2012-2018 Thomas Richter, University of Stuttgart
and Accusoft

For license conditions, see README.license for details.

jpeg.asan: bitmaphook.cpp:111: JPG_LONG BitmapHook(JPG_Hook*, JPG_TagItem*): Assertion `maxy - miny < bmm->bmm_ulHeight' failed.
Aborted

The StackTrace is below:

#0  BitMapHook::BitMapHook (this=0x0, tags=0x0) at bitmaphook.cpp:61
#1  0x0000564ba8fbf899 in JPEG::InternalProvideImage (this=0x61b000000098, tags=0x7fff2ffd9430) at jpeg.cpp:776
#2  0x0000564ba8fbf57c in JPEG::ProvideImage (this=0x61b000000098, tags=0x7fff2ffd9430) at jpeg.cpp:732
#3  0x0000564ba8f9fd5f in EncodeC (source=0x7fff3009b88d "crashes/poc.assert.BitmapHook", ldrsource=0x0, target=0x7fff3009b8ab "/dev/null", ltable=0x0,
    quality=-1, hdrquality=-1, tabletype=0, residualtt=0, maxerror=0, colortrafo=1, baseline=false, lossless=true, progressive=false, residual=false,
    optimize=false, accoding=false, rsequential=false, rprogressive=false, raccoding=false, qscan=false, levels=0 '\000', pyramidal=false, writednl=false,
    restart=0, gamma=0, lsmode=-1, noiseshaping=false, serms=false, losslessdct=false, openloop=false, deadzone=false, lagrangian=false, dering=false,
    xyz=false, cxyz=false, hiddenbits=0, riddenbits=0, resprec=8, separate=false, median=true, noclamp=true, smooth=0, dctbypass=false, sub=0x0,
    ressub=0x0, alpha=0x0, alphamode=1, matte_r=0, matte_g=0, matte_b=0, alpharesiduals=false, alphaquality=70, alphahdrquality=0, alphatt=0,
    residualalphatt=0, ahiddenbits=0, ariddenbits=0, aresprec=8, aopenloop=false, adeadzone=false, alagrangian=false, adering=false, aserms=false,
    abypass=false, quantsteps=0x0, residualquantsteps=0x0, alphasteps=0x0, residualalphasteps=0x0) at encodec.cpp:693
#4  0x0000564ba8f8f518 in main (argc=3, argv=0x7fff3009a6c0) at main.cpp:760

poc1.zip

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907