Ubuntu
jhead package

jhead heap-buffer-overflow of exif.c in function Get16u

Bug #1923538 reported by xiao huang
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jhead (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi Ubuntu Security Team
I found an overflow error.

System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1

- https://github.com/Matthias-Wandel/jhead/issues/33

------------------------------------------------------------------------
## Vendor of Product
https://github.com/Matthias-Wandel/jhead

------------------------------------------------------------------------
## Affected Product Code Base
libcaca 871e319 jhead version 3.06

------------------------------------------------------------------------
## Affected Component
affected component:jhead

------------------------------------------------------------------------
## Affected source code file
affected source code file(As call stack):

  -> ProcessFile jhead.c:914:10
    -> ReadJpegFile jpgfile.c:381:11
    -> ReadJpegSections jpgfile.c:289:25
    ...
    -> Get16u exif.c

------------------------------------------------------------------------
## Attack Type
jpg

------------------------------------------------------------------------
## Verification process and POC

### Verification steps:

1.Get the source code of jhead

Edit makefile
```
OBJ=obj
SRC=.
CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -fsanitize=address
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -fsanitize=address
...
```

2.Compile the jhead

```
$ make
```

3.run jhead

```
$ ./jhead poc.jpg
```

asan info
```

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal value pointer for tag 0110 in Exif

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal number format 232 for tag 0300 in Exif

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 11000004

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal value pointer for tag 9004 in Exif

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 3639b234

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal number format 25724 for tag dc6e in Exif

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal number format 255 for tag 9bb0 in Exif

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 30002

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 30003

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 39404

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 30000

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 20006

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 20007

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 40008

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 20009

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 40010

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal Exif number format 1540 for maker tag 0000

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 14000001

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 20001

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 9e00d3

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal Exif number format 160 for maker tag 0062

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count ab0000

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal Exif number format 37779 for maker tag 9393

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 66204745

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 69460000

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 7f02061

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 51f87089

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Illegal Exif number format 47318 for maker tag 937a

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count ce0009

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 40000

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 383952

Nonfatal Error : 'crashes/id:000000,sig:06,src:001187,time:15492164,op:havoc,rep:8' Bad components count 30303130
=================================================================
==4037677==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000515 at pc 0x0000004ce2aa bp 0x7fffe9e82350 sp 0x7fffe9e82348
READ of size 1 at 0x61a000000515 thread T0
    #0 0x4ce2a9 in Get16u exif.c
    #1 0x4d78c0 in ProcessCanonMakerNoteDir makernote.c:128:27
    #2 0x4d78c0 in ProcessMakerNote makernote.c:189:9
    #3 0x4d0d4a in ProcessExifDir exif.c:578:13
    #4 0x4d1a46 in ProcessExifDir exif.c:870:25
    #5 0x4cfde3 in process_EXIF exif.c:1060:5
    #6 0x4ca981 in ReadJpegSections jpgfile.c:289:25
    #7 0x4cb257 in ReadJpegFile jpgfile.c:381:11
    #8 0x4c6274 in ProcessFile jhead.c:914:10
    #9 0x4c6274 in main jhead.c:1770:13
    #10 0x7fb64aa370b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41c45d in _start (/home/hh/Downloads/jhead/jhead+0x41c45d)

0x61a000000515 is located 9 bytes to the right of 1164-byte region [0x61a000000080,0x61a00000050c)
allocated by thread T0 here:
    #0 0x494b9d in malloc (/home/hh/Downloads/jhead/jhead+0x494b9d)
    #1 0x4ca120 in ReadJpegSections jpgfile.c:175:25
    #2 0x4cb257 in ReadJpegFile jpgfile.c:381:11

SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c in Get16u
Shadow bytes around the buggy address:
  0x0c347fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff80a0: 00 04[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==4037677==ABORTING

```

Tanks

Tags: poc

CVE References

xiao huang (shanzhuli)
summary: - jhead overflow
+ jhead heap-buffer-overflow
summary: - jhead heap-buffer-overflow
+ jhead heap-buffer-overflow of exif.c in function Get16u
Revision history for this message
xiao huang (shanzhuli) wrote :

Issues have been assigned numbers CVE-2021-3496

information type: Private Security → Public Security
Steve Beattie (sbeattie)
Changed in jhead (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.