Bug#779849: libjbig2dec0: heap-based buffer overflow

Thu, 05 Mar 2015 06:41:10 -0800 

Package: libjbig2dec0
Version: 0.11+20120125-1
Tags: security
Usertags: afl

jbig2dec crashes on the attached file:

$ ./jbig2dec crash.jb2
jbig2dec WARNING No OOB signalling end of height class 2 (segment 0x00)
*** Error in `/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec': free(): 
invalid pointer: 0x08b98240 ***
Aborted
Rebuilding the package with "-fsanitize=address" reveals that the root cause is a heap-based buffer overflow: 

$ ./jbig2dec crash.jb2
=================================================================
==4112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4303f6c at 
pc 0xf726b146 bp 0xff8eccc8 sp 0xff8eccbc
WRITE of size 4 at 0xf4303f6c thread T0
   #0 0xf726b145 in jbig2_decode_symbol_dict 
/home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:626
   #1 0xf726b145 in jbig2_symbol_dictionary 
/home/jwilk/jbig2dec-0.11+20120125/jbig2_symbol_dict.c:1054
   #2 0xf7263cd0 in jbig2_parse_segment 
/home/jwilk/jbig2dec-0.11+20120125/jbig2_segment.c:251
   #3 0xf725d598 in jbig2_data_in /home/jwilk/jbig2dec-0.11+20120125/jbig2.c:356
   #4 0x80499d5 in main /home/jwilk/jbig2dec-0.11+20120125/jbig2dec.c:449
   #5 0xf7035a62 in __libc_start_main 
(/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
   #6 0x804a6eb (/home/jwilk/jbig2dec-0.11+20120125/.libs/lt-jbig2dec+0x804a6eb)

0xf4303f6c is located 0 bytes to the right of 7788-byte region 
[0xf4302100,0xf4303f6c)
allocated by thread T0 here:
   #0 0xf72e16e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
   #1 0xf725c237 in jbig2_default_alloc 
/home/jwilk/jbig2dec-0.11+20120125/jbig2.c:35


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libjbig2dec0 depends on:
ii  libc6       2.19-15
ii  libpng12-0  1.2.50-2+b2
ii  zlib1g      1:1.2.8.dfsg-2+b1

--
Jakub Wilk

Attachment: crash.jb2
Description: Binary data

Reply via email to