Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.

**Name**CVE-2013-2093**Description**Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.**Source**CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

CVE-2013-2093: CVE-2013-2093

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.

CVE-2019-18934: unbound/Changelog at release-1.9.5 · NLnetLabs/unbound

An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

![Openwall](https://www.openwall.com/logo.png)

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Nov 2019 22:27:27 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: oss-security@...ts.openwall.com
Subject: \[ Linux kernel \] Exploitable bugs in drivers/media/platform/vivid

Hello!

I used the syzkaller fuzzer with custom modifications and found a bunch of
5-year old bugs in the Linux kernel. I managed to exploit one of them for a
local privilege escalation.

These vulnerabilities are caused by wrong mutex locking in the vivid driver of
the V4L2 subsystem. Please see the fixing patch that I've just sent to LKML:
https://lore.kernel.org/lkml/20191102190327.24903-1-alex.popov@linux.com/

The vivid driver doesn't require any special hardware. It is shipped in Ubuntu,
Debian, Arch Linux, SUSE Linux Enterprise and openSUSE.

On Ubuntu the devices created by this driver are available to the normal user,
since Ubuntu applies RW ACL when the user is logged in:
  a13x@...ntu\_server\_1804:~$ getfacl /dev/video0
  getfacl: Removing leading '/' from absolute path names
  # file: dev/video0
  # owner: root
  # group: video
  user::rw-
  user:a13x:rw-
  group::rw-
  mask::rw-
  other::---

(Un)fortunately, I don't know how to autoload the vulnerable driver, which
limits the severity of these vulnerabilities. That's why the Linux kernel
security team allows me to do the full disclosure.

But there is an interesting aspect -- my PoC exploit bypasses SMEP and SMAP on
the fresh Ubuntu Server 18.04. Moreover, it gains the local privilege escalation
from the kthread context (where the userspace is not mapped). I'm going to share
the details about the exploit techniques later.

For now I would recommend to blacklist the vivid kernel module on your machines.

Best regards,
Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

![Powered by Openwall GNU/*/Linux](https://www.openwall.com/Owl/artwork/buttons/80x15/Owl-80x15-4.png) ![Powered by OpenVZ](https://www.openwall.com/images/OpenVZ-80x15-cd.png)

CVE-2019-18683: security - [ Linux kernel ] Exploitable bugs in drivers/media/platform/vivid

slim has NULL pointer dereference when using crypt() method from glibc 2.17

**Name**

CVE-2013-4412

**Description**

slim has NULL pointer dereference when using crypt() method from glibc 2.17

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

**Debian Bugs**

725902

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

slim (PTS)

buster

1.3.6-5.1

fixed

bullseye

1.3.6-5.2

fixed

sid, trixie, bookworm

1.3.6-5.3

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

slim

source

squeeze

(not affected)

slim

source

wheezy

(not affected)

slim

source

(unstable)

1.3.6-0.1

725902

**Notes**

\[wheezy\] - slim <not-affected> (Only exploitable with eglibc 2.17 and later)  
\[squeeze\] - slim <not-affected> (Only exploitable with eglibc 2.17 and later)  
Upstream fix: http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071f

CVE-2013-4412: CVE-2013-4412

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

We found vulnerability in exiv2 binary and exiv2 is complied with clang enabling ASAN.

    Machine : Ubuntu 16.04.3 LTS
    gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
    Commit : 401e658
    exiv2 : 0.27.99.0
    Command : exiv2 -pv $POC
    

    fuzzer@fuzzer:~/victim/exiv2/build/bin$ ./exiv2 -pv POC
    =================================================================
    ==16699==ERROR: AddressSanitizer: unknown-crash on address 0x7f9a857b7143 at pc 0x7f9a84dcc1db bp 0x7ffcb8c7b650 sp 0x7ffcb8c7b648
    READ of size 1 at 0x7f9a857b7143 thread T0
        #0 0x7f9a84dcc1da in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/types.cpp:289:28
        #1 0x7f9a84ebd4c4 in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:285:22
        #2 0x7f9a84ebd84e in Exiv2::Internal::CiffComponent::read(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:231:9
        #3 0x7f9a84ebd84e in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:305
        #4 0x7f9a84c5c29d in Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) /home/fuzzer/victim/exiv2/src/crwimage.cpp:150:9
        #5 0x7f9a84c5afa0 in Exiv2::CrwImage::readMetadata() /home/fuzzer/victim/exiv2/src/crwimage.cpp:107:9
        #6 0x589421 in Action::Print::printList() /home/fuzzer/victim/exiv2/src/actions.cpp:483:9
        #7 0x57c1df in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fuzzer/victim/exiv2/src/actions.cpp:218:26
        #8 0x4f4c5f in main /home/fuzzer/victim/exiv2/src/exiv2.cpp:77:23
        #9 0x7f9a836be82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
        #10 0x41ff38 in _start (/home/fuzzer/victim/exiv2/build/bin/exiv2+0x41ff38)
    
    AddressSanitizer can not describe address in more detail (wild memory access suspected).
    SUMMARY: AddressSanitizer: unknown-crash /home/fuzzer/victim/exiv2/src/types.cpp:289:28 in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
    Shadow bytes around the buggy address:
      0x0ff3d0aeedd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeede0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeedf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeee00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
    =>0x0ff3d0aeee20: fe fe fe fe fe fe fe fe[fe]fe fe fe fe fe fe fe
      0x0ff3d0aeee30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee60: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee70: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==16699==ABORTING
    fuzzer@fuzzer:~/victim/exiv2/build/bin$

CVE-2019-17402: Overflow in exiv2 · Issue #1019 · Exiv2/exiv2

gif2png 2.5.13 has a memory leak in the writefile function.

@zer0yu Hi, I had some tests on gif2png. But I need your help.

I used valgrind to check the memory leakage by executing `valgrind --leak-check=full ./gif2png -r poc`, and here is the output message.

    ==25395==
    ==25395== HEAP SUMMARY:
    ==25395==     in use at exit: 91,120 bytes in 136 blocks
    ==25395==   total heap usage: 602 allocs, 466 frees, 1,177,468 bytes allocated
    ==25395==
    ==25395== 8,704 bytes in 34 blocks are definitely lost in loss record 1 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x10CC48: xalloc (memory.c:17)
    ==25395==    by 0x10BEF3: ReadImage (gifread.c:662)
    ==25395==    by 0x10C646: ReadGIF (gifread.c:218)
    ==25395==    by 0x10B0A1: processfile.part.0 (gif2png.c:707)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== 18,360 bytes in 51 blocks are definitely lost in loss record 2 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x4E40F32: png_create_info_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x109F9C: writefile (gif2png.c:157)
    ==25395==    by 0x10B29D: processfile.part.0 (gif2png.c:788)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== 64,056 bytes in 51 blocks are definitely lost in loss record 3 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x4E46E81: png_malloc_warn (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E40E8F: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E4A40C: png_create_read_struct_2 (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E4A460: png_create_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x109F86: writefile (gif2png.c:151)
    ==25395==    by 0x10B29D: processfile.part.0 (gif2png.c:788)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== LEAK SUMMARY:
    ==25395==    definitely lost: 91,120 bytes in 136 blocks
    ==25395==    indirectly lost: 0 bytes in 0 blocks
    ==25395==      possibly lost: 0 bytes in 0 blocks
    ==25395==    still reachable: 0 bytes in 0 blocks
    ==25395==         suppressed: 0 bytes in 0 blocks
    ==25395==
    ==25395== For counts of detected and suppressed errors, rerun with: -v
    ==25395== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
    

We can see the key function `png_malloc_warn` and `png_create_info_struct`. Although the program did not crash, the output message was similar to the error information offered by @zer0yu .

So I reviewed the gif2png source code, whose git-tag was 2.5.9 and commit id was `b6c6bb`. The function `wirtefile` of gif2png calls `png_create_read_struct` and `png_create_info_struct`. That will cause libpng to allocate memory. But `png_destroy_read_struct` is not called to free the memory after that.

Here is my patch to fixed it.

    diff --git a/gif2png.c b/gif2png.c
    index 8a3d1c1..25537a5
    --- a/gif2png.c
    +++ b/gif2png.c
    @@ -311,6 +311,7 @@ static int writefile(struct GIFelement *s, struct GIFelement *e,
             (void)free(info_ptr);
             return 1;
         }
    +    png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
    
         /* Create and initialize the png_struct with the desired error handler
          * functions.  If you want to use the default stderr and longjump method,
    diff --git a/gifread.c b/gifread.c
    index 6995c3a..f48ab65
    --- a/gifread.c
    +++ b/gifread.c
    @@ -727,9 +727,11 @@ ReadImage(FILE *fd, int x_off, int y_off, int width, int height,
                             goto fini;
                         } else {
                             (void)check_recover(true);
    +                        (void)free(image);
                             return(true);
                         }
                     } else {
    +                    (void)free(image);
                         return(true);
                     }
                 }
    

And here is the new output message

    ==27072== HEAP SUMMARY:
    ==27072==     in use at exit: 0 bytes in 0 blocks
    ==27072==   total heap usage: 602 allocs, 602 frees, 1,177,468 bytes allocated
    ==27072==
    ==27072== All heap blocks were freed -- no leaks are possible
    ==27072==
    ==27072== For counts of detected and suppressed errors, rerun with: -v
    ==27072== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
    

0 error!

So my conclusion is that: the memory leakage is caused by **gif2png** but **NOT libpng**.  
But I need some more information from @zer0yu to further confirm it.  
My env:

    Ubuntu 18.04 x86_64
    valgrind-3.13.0
    gcc 7.4
    libpng-dev 1.6.34

CVE-2019-17371: memory leak in png_malloc_warn and png_create_info_struct · Issue #307 · glennrp/libpng

In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.

CVE-2019-16714

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 10 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc22-jfif\_load-heapoverflow

**Details****Asan report**

    =================================================================
    ==17308== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340000fef8 at pc 0x402fec bp 0x7ffc051db980 sp 0x7ffc051db978
    WRITE of size 4 at 0x60340000fef8 thread T0
        #0 0x402feb in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187
        #1 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #2 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #3 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    0x60340000fef8 is located 0 bytes to the right of 504-byte region [0x60340000fd00,0x60340000fef8)
    allocated by thread T0 here:
        #0 0x7f52922584e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x154e5)
        #1 0x40293b in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:154
        #2 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #3 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187 jfif_load
    Shadow bytes around the buggy address:
      0x0c06ffff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c06ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c06ffff9fe0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==17308== ABORTING
    

**GDB report**

    Starting program: /home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg -d poc22-jfif_load-heapoverflow 
    file eof !
    *** Error in `/home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg': munmap_chunk(): invalid pointer: 0x000000000060a210 ***
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
    #2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=1, 
        fmt=fmt@entry=0x7ffff7b96350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
    #3  0x00007ffff7a8f007 in malloc_printerr (action=<optimized out>, 
        str=0x7ffff7b966d0 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:4998
    #4  0x0000000000402416 in jfif_load (file=0x7fffffffe58c "poc22-jfif_load-heapoverflow")
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:257
    #5  0x000000000040165b in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
    (gdb) 
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

This was referenced

Aug 19, 2019

Copy link

Contributor Author

Hi, I tested it with commit b3039ae

but there still exists some buffer overflows in jfif.c:195; jfif.c:216, jfif.c:228 and jfif.c:231

here are the POCs and asan log  
asan.log  
ffjpeg\_poc.zip

rockcarry added a commit that referenced this issue

Aug 19, 2019

Copy link

Contributor Author

Hi,

I tested it with commit 6bc54ed

and AddressSanitizer still reports heap-buffer-overflow in jfif.c:216 and jfif.c:231, which is caused by  
id:000026 & id:000029 in the ffjpeg\_poc.zip above.

to use AddressSanitizer you can compile program with cmd

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"  cmake .
    $ make
    

Cheers

are the test case 16 & 25 pass your testing ?  
and the case 26 & 29 still failed ?

I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

Copy link

Contributor Author

Hi,

> are the test case 16 & 25 pass your testing ?  
> and the case 26 & 29 still failed ?

Yes, 26 & 29 still fail while 16 & 25 pass.

> I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

AddressSanitizer is part of gcc since gcc-4.8, not sure whether it can be installed separately. Here (ASANwiki) is the guide to build the ASAN from source, though I think use ASAN in gcc cost less effort

Cheers

rockcarry added a commit that referenced this issue

Aug 21, 2019

rockcarry added a commit that referenced this issue

Aug 21, 2019

Copy link

Contributor Author

Hi,

I tested commit 2ad299a and ASAN reports heap buffer overflow in

for (i\=1; i<1+16; i++) len += dht\[i\];

Maybe it should be changed to

for (i\=1; i<1+16 && dht+i<end; i++) len += dht\[i\];

This would fix the overflow problem but I'm not sure if this logic is right.

Best wishes

rockcarry added a commit that referenced this issue

Aug 21, 2019

pls test commit 58b6f94  
i think it‘s ok now.

Copy link

Contributor Author

Hi,

I tested commit 58b6f94. Since no more ASAN reports, I think this series of heap-overflow problems are fixed now.

Cheers!

2 participants

CVE-2019-16352: AddressSanitizer: heap-buffer-overflow in jfif_load() at jfif.c:187 · Issue #12 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc21-huffman\_decode\_step-SEGV

**Details****Asan report**

    ASAN:SIGSEGV
    =================================================================
    ==19241== ERROR: AddressSanitizer: SEGV on unknown address 0x000000001590 (pc 0x000000410e8b sp 0x7fff54e12780 bp 0x7fff54e127a0 T0)
    AddressSanitizer can not provide additional info.
        #0 0x410e8a in huffman_decode_step /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
        #1 0x405f04 in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
        #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
        #3 0x7f8d44273f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371 huffman_decode_step
    ==19241== ABORTING
    

**GDB report**

    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040775f in huffman_decode_step (phc=0x0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
    371         if (!phc->input) return EOF;
    (gdb) bt
    #0  0x000000000040775f in huffman_decode_step (phc=0x0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
    #1  0x0000000000403357 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe190)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
    #2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

This was referenced

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae  
and I think it has been fixed

2 participants

CVE-2019-16351: SEGV in huffman_decode_step() at huffman.c:371 · Issue #11 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc20-idct2d8x8-SEGV

**Details****Asan report**

    ASAN:SIGSEGV
    =================================================================
    ==21545== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000040db78 sp 0x7ffd4681f2e0 bp 0x7ffd4681f340 T0)
    AddressSanitizer can not provide additional info.
        #0 0x40db77 in idct2d8x8 /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
        #1 0x40605b in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
        #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
        #3 0x7f8448218f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201 idct2d8x8
    ==21545== ABORTING
    

**GDB report**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
    201             data[ctr] *= ftab[ctr];
    (gdb) bt
    #0  0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
    #1  0x0000000000403435 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe1a0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
    #2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe2a8)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae  
and I think it has been fixed

2 participants

Tag

#ubuntu