Ubuntu
jhead package

heap-buffer-overflow on jhead(<=2.97, 3.00)/jpgqguess.c:188 in process_DHT

Bug #1895806 reported by Binbin Li
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jhead (Ubuntu)
New
Undecided
Unassigned

Bug Description

Heap-buffer-overflow while running jhead(v2.97, v3.00). This bug has been provided patch in >= v3.0.2. But it still exits in v2.97 and v3.00. Deatil log as follow: (POC in attachment)

lbb@lbb ./jhead-2.97/jhead ./jhead-2.97/crashes/I5G9X5~S

Nonfatal Error : './jhead-2.97/crashes/I5G9X5~S' Extraneous 11 padding bytes before section DC
=================================================================
==3525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000094 at pc 0x00000040bf7f bp 0x7ffd7f6c0b80 sp 0x7ffd7f6c0b78
READ of size 1 at 0x602000000094 thread T0
    #0 0x40bf7e in process_DHT /home/jhead-2.97/jpgqguess.c:188
    #1 0x408a62 in ReadJpegSections /home/jhead-2.97/jpgfile.c:228
    #2 0x4092ad in ReadJpegSections /home/jhead-2.97/jpgfile.c:126
    #3 0x4092ad in ReadJpegFile /home/jhead-2.97/jpgfile.c:375
    #4 0x404cb7 in ProcessFile /home/jhead-2.97/jhead.c:881
    #5 0x402a10 in main /home/jhead-2.97/jhead.c:1684
    #6 0x7f836156283f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #7 0x403ca8 in _start (/home/jhead-2.97/jhead+0x403ca8)

0x602000000094 is located 0 bytes to the right of 4-byte region [0x602000000090,0x602000000094)
allocated by thread T0 here:
    #0 0x7f8361cee290 in __interceptor_malloc ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x4083e5 in ReadJpegSections /home/jhead-2.97/jpgfile.c:173
    #2 0x4092ad in ReadJpegSections /home/jhead-2.97/jpgfile.c:126
    #3 0x4092ad in ReadJpegFile /home/jhead-2.97/jpgfile.c:375
    #4 0x404cb7 in ProcessFile /home/jhead-2.97/jhead.c:881
    #5 0x402a10 in main /home/jhead-2.97/jhead.c:1684
    #6 0x7f836156283f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jhead-2.97/jpgqguess.c:188 in process_DHT
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fd fa fa 02 fa fa fa 02 fa fa fa 02 fa
=>0x0c047fff8010: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==3525==ABORTING

Revision history for this message
Binbin Li (libbin) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.