Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap buffer overflow - jpg_parse_jfif #98

Open
andrew-epstein opened this issue May 14, 2019 · 3 comments
Open

Heap buffer overflow - jpg_parse_jfif #98

andrew-epstein opened this issue May 14, 2019 · 3 comments

Comments

@andrew-epstein
Copy link

OS: macOS 10.14.4
Compiled with afl-clang, with -fsanitize=address added to both CMAKE_C_FLAGS and CMAKE_CXX_FLAGS. Actual compiler is clang version 8.0.0 (note, NOT Apple LLVM).
Here's the output from AddressSanitizer:

==70370==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000002f2 at pc 0x0001008f450e bp 0x7ffeef4d09e0 sp 0x7ffeef4d09d8
READ of size 1 at 0x6120000002f2 thread T0
    #0 0x1008f450d in jpg_parse_jfif(unsigned char, unsigned int, unsigned char*) packjpg.cpp:4603
    #1 0x1008bc7da in decode_jpeg() packjpg.cpp:2424
    #2 0x1008b6558 in pjglib_convert_stream2mem(unsigned char**, unsigned int*, char*) packjpg.cpp:1744
    #3 0x100c3775b in try_decompression_jpg(long long, bool) precomp.cpp:6486
    #4 0x100bf1cd9 in compress_file(float, float) precomp.cpp:4122
    #5 0x100be1394 in main precomp.cpp:505
    #6 0x7fff7f65e3d4 in start (libdyld.dylib:x86_64+0x163d4)

0x6120000002f2 is located 0 bytes to the right of 306-byte region [0x6120000001c0,0x6120000002f2)
allocated by thread T0 here:
    #0 0x100fa2167 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x61167)
    #1 0x1008a9d7e in abytewriter::getptr() bitops.cpp:21
    #2 0x1008bbf61 in read_jpeg() packjpg.cpp:2208
    #3 0x1008b6459 in pjglib_convert_stream2mem(unsigned char**, unsigned int*, char*) packjpg.cpp:1744
    #4 0x100c3775b in try_decompression_jpg(long long, bool) precomp.cpp:6486
    #5 0x100bf1cd9 in compress_file(float, float) precomp.cpp:4122
    #6 0x100be1394 in main precomp.cpp:505
    #7 0x7fff7f65e3d4 in start (libdyld.dylib:x86_64+0x163d4)

SUMMARY: AddressSanitizer: heap-buffer-overflow packjpg.cpp:4603 in jpg_parse_jfif(unsigned char, unsigned int, unsigned char*)

Command line invocation was along the lines of the following:

./precomp -cn -t+j id\:000000\,src\:000003\,op\:flip1\,pos\:276

What is the best way to get the offending files to you? GitHub doesn't seem to want to let me attach them. They are small, so would a hex dump be good?
Please let me know if you need anything else; I'll be happy to provide to the best of my ability.
@andrew-epstein andrew-epstein mentioned this issue May 14, 2019
Closed
@schnaader
Copy link
Owner

What is the best way to get the offending files to you?

You can send them per mail (schnaader@gmx.de) or post a link to uploaded images and I'll attach them to the issues.

@andrew-epstein andrew-epstein mentioned this issue May 14, 2019
Closed
@andrew-epstein
Copy link
Author

@schnaader I have emailed the files for all 3 issues to you.

@schnaader
Copy link
Owner

Test file on Google Drive

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@schnaader @andrew-epstein