A heap-buffer-overflow in jhead-3.03

Hi Tai Yue,

Thanks for report this issue.
Did you report this to upstream already? If not, could you please report to them [1].

[1] http://www.sentex.net/~mwandel/jhead/

I have received the bug notification. Thank you for your confirming. Now I have some questions about the CVEs, will I be assigned a CVE? If not, what can I do to obtain that?

Best wishes! I am looking forward to your reply.

> -----原始邮件-----
> 发件人: "Leonidas S. Barbosa" <email address hidden>
> 发送时间: 2019-10-11 00:48:32 (星期五)
> 收件人: <email address hidden>
> 抄送:
> 主题: [Bug 1847629] Re: A heap-buffer-overflow in jhead-3.03
>
> ** Changed in: jhead (Ubuntu)
> Status: New => Confirmed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1847629
>
> Title:
> A heap-buffer-overflow in jhead-3.03
>
> Status in jhead package in Ubuntu:
> Confirmed
>
> Bug description:
> I have found a heap-buffer-overflow in the process_DQT function in
> jpgqguess.c of jhead-3.03 by fuzzing. The jhead is complied in ELF
> 64-bit LSB version, and the command to trigger this bug is
>
> jhead $POC
>
> The POC is in attachment. We use Address-Sanitizier to print the debug
> information, which is listed below:
>
> =================================================================
> ==6995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000f5c7 at pc 0x000000417f00 bp 0x7ffffffef200 sp 0x7ffffffef1f0
> READ of size 1 at 0x61600000f5c7 thread T0
> #0 0x417eff in process_DQT /home/moonlight/SteinGate/jhead-3.03/jpgqguess.c:109
> #1 0x40fe6a in ReadJpegSections /home/moonlight/SteinGate/jhead-3.03/jpgfile.c:223
> #2 0x411dcd in ReadJpegSections /home/moonlight/SteinGate/jhead-3.03/jpgfile.c:126
> #3 0x411dcd in ReadJpegFile /home/moonlight/SteinGate/jhead-3.03/jpgfile.c:375
> #4 0x408f7a in ProcessFile /home/moonlight/SteinGate/jhead-3.03/jhead.c:905
> #5 0x403557 in main /home/moonlight/SteinGate/jhead-3.03/jhead.c:1757
> #6 0x7ffff67b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #7 0x407058 in _start (/home/moonlight/SteinGate/jhead-3.03/jhead+0x407058)
>
> 0x61600000f5c7 is located 0 bytes to the right of 583-byte region [0x61600000f380,0x61600000f5c7)
> allocated by thread T0 here:
> #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
> #1 0x40f657 in ReadJpegSections /home/moonlight/SteinGate/jhead-3.03/jpgfile.c:173
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moonlight/SteinGate/jhead-3.03/jpgqguess.c:109 process_DQT
> Shadow bytes around the buggy address:
> 0x0c2c7fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c2c7fff9e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c2c7fff9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c2c7fff9e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c2c7fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c2c7fff9eb0: 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa
> 0x0c2c7fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c2c7fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c2c7fff9ee0: 00 00 00 00 00 00 ...