Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The function "adjust_quant" in transupp.c:206 has a SEGV vulnerability. #758

Closed
Arbusz opened this issue Apr 19, 2024 · 2 comments
Closed

The function "adjust_quant" in transupp.c:206 has a SEGV vulnerability. #758

Arbusz opened this issue Apr 19, 2024 · 2 comments
Assignees
@dcommander
Labels
bug fixed

Comments

@Arbusz
Copy link

Arbusz commented Apr 19, 2024

Hi, we found one crash in jeegtran (libjpeg-turbo 3.0.2) which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC files along with the asan logs.

Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Command and args:
./jpegtran -drop +100+200 file1.jpg -maxmemory 4m poc

asan logs

==229843==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555556068f bp 0x7fffffffd710 sp 0x7fffffffd6b0 T0)
==229843==The signal is caused by a READ memory access.
==229843==Hint: address points to the zero page.
    #0 0x55555556068e in adjust_quant /root/programs_rq5/libjpeg-turbo-3.0.2/transupp.c:206
    #1 0x555555570833 in jtransform_adjust_parameters /root/programs_rq5/libjpeg-turbo-3.0.2/transupp.c:2099
    #2 0x55555555c7c4 in main /root/programs_rq5/libjpeg-turbo-3.0.2/jpegtran.c:642
    #3 0x7ffff7172082 in __libc_start_main ../csu/libc-start.c:308
    #4 0x5555555597cd in _start (/root/programs_rq5/libjpeg-turbo-3.0.2/build_asan/bin/jpegtran+0x57cd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/programs_rq5/libjpeg-turbo-3.0.2/transupp.c:206 in adjust_quant

jpegtran_crash.zip

Credit by: Dawei Wang and Geng Zhou, from Zhongguancun Laboratory.
@Arbusz Arbusz added the bug label Apr 19, 2024
@dcommander
Copy link
Member

I will investigate, but since the issue in question involves an interface that is only exposed on the jpegtran command line, this does not represent a security issue. It is, at worst, a matter of the program crashing rather than failing gracefully, so from the user's point of view, the end result is the same. Still, though, it shouldn't crash.

@dcommander
Copy link
Member

Reproduced & investigating

dcommander added a commit that referenced this issue May 2, 2024
@dcommander
jpegtran -drop: Ensure all quant tables defined
1bf1f8b 
It is possible to craft a malformed JPEG image in which all of the
scans contain fewer components than the number of components specified
in the Start Of Frame (SOF) segment.  Attempting to use such an image as
either an input image or a drop image with 'jpegtran -drop' caused a
NULL dereference and subsequent segfault in transupp.c:adjust_quant(),
so this commit adds appropriate checks to guard against that.

Since the issue involved an interface that is only exposed on the
jpegtran command line, it did not represent a security risk.
'jpegtran -drop' could not ever be used successfully with images such as
the ones described above.  This commit simply makes jpegtran fail
gracefully rather than crash.

Fixes #758
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dcommander dcommander

Labels
bug fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dcommander @Arbusz