A heap-buffer-overflow in jhead-3.03
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jhead (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have found a heap-buffer-
jhead $POC
The POC is in attachment. We use Address-Sanitizier to print the debug information, which is listed below:
=======
==6995==ERROR: AddressSanitizer: heap-buffer-
READ of size 1 at 0x61600000f5c7 thread T0
#0 0x417eff in process_DQT /home/moonlight
#1 0x40fe6a in ReadJpegSections /home/moonlight
#2 0x411dcd in ReadJpegSections /home/moonlight
#3 0x411dcd in ReadJpegFile /home/moonlight
#4 0x408f7a in ProcessFile /home/moonlight
#5 0x403557 in main /home/moonlight
#6 0x7ffff67b782f in __libc_start_main (/lib/x86_
#7 0x407058 in _start (/home/
0x61600000f5c7 is located 0 bytes to the right of 583-byte region [0x61600000f380
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/
#1 0x40f657 in ReadJpegSections /home/moonlight
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c2c7fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff9eb0: 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa
0x0c2c7fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6995==ABORTING
[Inferior 1 (process 6995) exited with code 01]
Changed in jhead (Ubuntu): | |
status: | New → Confirmed |
information type: | Private Security → Public |
Hi Tai Yue,
Thanks for report this issue.
Did you report this to upstream already? If not, could you please report to them [1].
[1] http:// www.sentex. net/~mwandel/ jhead/