Headline

CVE-2021-44957: global-buffer-overflow in function jfif_encode at jfif.c:708 · Issue #44 · rockcarry/ffjpeg

Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021. It is similar to CVE-2020-23705. Issue is in the jfif_encode function at ffjpeg/src/jfif.c (line 708) could cause a Denial of Service by using a crafted jpeg file.

2 years ago

CVE

Open in Source

#vulnerability #ubuntu #dos #buffer_overflow

Describe
A global-buffer-overflow was discovered in ffjpeg. The issue is being triggered in function jfif_encode at jfif.c:708.

Found by Cem Onat Karagun of Diesec

System info
OS version : Ubuntu 21.04
ffjpeg Version : master(0fa4cf8a86)

Reproduce

Compile ffjpeg with address sanitizer.

CCFLAGS = -Wall -g -fsanitize=address

PoC file:
encode_poc1.zip

Run with the following command.

Asan output:

=================================================================
==3406031==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000231972 at pc 0x0000002cbc07 bp 0x7ffcef6304f0 sp 0x7ffcef62fcb8
READ of size 272 at 0x000000231972 thread T0
    #0 0x2cbc06 in __asan_memcpy (/REDACTED/ffjpeg/src/ffjpeg+0x2cbc06)
    #1 0x30f33b in jfif_encode /src/src/jfif.c:708:5
    #2 0x3029f2 in main /src/src/ffjpeg.c:30:16
    #3 0x7fdfb0d3b564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #4 0x2515fd in _start (/REDACTED/ffjpeg/src/ffjpeg+0x2515fd)

0x000000231972 is located 46 bytes to the left of global variable 'STD_HUFTAB_LUMIN_DC' defined in 'huffman.c:398:12' (0x2319a0) of size 28
0x000000231972 is located 0 bytes to the right of global variable 'STD_HUFTAB_LUMIN_AC' defined in 'huffman.c:382:12' (0x2318c0) of size 178
SUMMARY: AddressSanitizer: global-buffer-overflow (/REDACTED/ffjpeg/src/ffjpeg+0x2cbc06) in __asan_memcpy
Shadow bytes around the buggy address:
  0x00008003e2d0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x00008003e2e0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 01 f9 f9
  0x00008003e2f0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 00 00
  0x00008003e300: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
  0x00008003e310: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008003e320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]f9
  0x00008003e330: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x00008003e340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008003e350: 00 00 02 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
  0x00008003e360: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008003e370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3406031==ABORTING


memcpy(jfif->phcac[0]->huftab, STD_HUFTAB_LUMIN_AC, MAX_HUFFMAN_CODE_LEN + 256);

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago