Ubuntu
jhead package

heap buffer overflow crashes on proccess_COM

Bug #1890229 reported by Jingqi Long
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jhead (Ubuntu)
New
Undecided
Unassigned

Bug Description

=================================================================
==31194==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000df13 at pc 0x00000041b5e0 bp 0x7ffdf29c8e50 sp 0x7ffdf29c8e40
READ of size 1 at 0x60700000df13 thread T0
    #0 0x41b5df in process_COM /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:51
    #1 0x41d882 in ReadJpegSections /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:241
    #2 0x41f62d in ReadJpegSections /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:126
    #3 0x41f62d in ReadJpegFile /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:379
    #4 0x411987 in ProcessFile /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jhead.c:905
    #5 0x4036ca in main /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jhead.c:1756
    #6 0x7f2a2e63f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #7 0x40d498 in _start (/home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jhead+0x40d498)

0x60700000df13 is located 0 bytes to the right of 67-byte region [0x60700000ded0,0x60700000df13)
allocated by thread T0 here:
    #0 0x7f2a2fa97602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x41beaa in ReadJpegSections /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:173
    #2 0x41f62d in ReadJpegSections /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:126
    #3 0x41f62d in ReadJpegFile /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:379
    #4 0x411987 in ProcessFile /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jhead.c:905
    #5 0x4036ca in main /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jhead.c:1756
    #6 0x7f2a2e63f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mondaylord/Documents/SMSE-AFL/bin/jhead-3.04/jpgfile.c:51 process_COM
Shadow bytes around the buggy address:
  0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bd0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fff9be0: 00 00[03]fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff9bf0: 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==31194==ABORTING

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.