heap-buffer-overflow detected in function process_DQT of jpgqguess.c when running jhead 3.04
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| jhead (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Tested in Ubuntu 16.04, 64bit. [Jhead](https:/
The tesecase cause this error is put in the attachment.
I use the following command:
```shell
./jhead -mkexif jhead_heap_
```
and get many nonfatal error prompts like the following:
```
Nonfatal Error : 'jhead_
......
```
I use **AddressSaniti
```shell
./jhead -mkexif jhead_heap_
```
This is the ASAN information:
```
install/jhead -mkexif jhead_segv.jpg
......
many nonfatal error prompts
......
=======
==20109==ERROR: AddressSanitizer: heap-buffer-
READ of size 1 at 0x60700001b183 thread T0
#0 0x40a14e in process_DQT jhead-3.
#1 0x407e02 in ReadJpegSections jhead-3.
#2 0x408581 in ReadJpegFile jhead-3.
#3 0x405039 in ProcessFile jhead-3.
#4 0x40267d in main jhead-3.
#5 0x7fd1a987182f in __libc_start_main (/lib/x86_
#6 0x403c38 in _start (install/
0x60700001b183 is located 0 bytes to the right of 67-byte region [0x60700001b140
allocated by thread T0 here:
#0 0x7fd1a9fbc602 in malloc (/usr/lib/
#1 0x40798b in ReadJpegSections jhead-3.
#2 0x408581 in ReadJpegFile jhead-3.
#3 0x405039 in ProcessFile jhead-3.
#4 0x40267d in main jhead-3.
#5 0x7fd1a987182f in __libc_start_main (/lib/x86_
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c0e7fffb5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffb5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffb600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffb610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffb620: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fffb63
0x0c0e7fffb640: fa fa fa fa 00 00 00 00 00 00 00 00 03 fa fa fa
0x0c0e7fffb650: fa fa 00 00 00 00 00 00 00 00 03 fa fa fa fa fa
0x0c0e7fffb660: 00 00 00 00 00 00 00 00 03 fa fa fa fa fa 00 00
0x0c0e7fffb670: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
0x0c0e7fffb680: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20109==ABORTING
```
| WangXiaoxiong (1217161407-3) wrote | #1 |
| Paulo Flabiano Smorigo (pfsmorigo) wrote | #2 |
| tags: | added: community-security |
| information type: | Private Security → Public Security |
| information type: | Public Security → Private Security |
| information type: | Private Security → Public Security |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/