Package: jhead Version: 3.00-7 Interger overflow while running jhead. There is an interger overflow in exif.c line 530. When OffseVal=0xffff0014, ByteCount=0xffff, ExifLength=0X13e, this check will be passed. So when executing strncpy function it will lead to a segmentation fault. It may allow a remote attacker to cause unspecified impact including denial-of-service attack.Deatil log as follow:
zhang123@ubuntu:~/Desktop/jhead-3.00$ ./jhead ./testfile
ASAN:SIGSEGV
=================================================================
==21157==ERROR: AddressSanitizer: SEGV on unknown address
0x6130ffffde90 (pc 0x7efd4499e900 bp 0x7fffcbe95d50 sp 0x7fffcbe954d8
T0)
#0 0x7efd4499e8ff in strnlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b8ff)
#1 0x7efd4505c4e2 in __interceptor_strncpy
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x764e2)
#2 0x40efad in ProcessExifDir
(/home/zhang123/Desktop/jhead-3.00/jhead+0x40efad)
#3 0x410399 in process_EXIF
(/home/zhang123/Desktop/jhead-3.00/jhead+0x410399)
#4 0x40830d in ReadJpegSections.part.0
(/home/zhang123/Desktop/jhead-3.00/jhead+0x40830d)
#5 0x4087dd in ReadJpegFile
(/home/zhang123/Desktop/jhead-3.00/jhead+0x4087dd)
#6 0x4049f6 in ProcessFile
(/home/zhang123/Desktop/jhead-3.00/jhead+0x4049f6)
#7 0x402575 in main (/home/zhang123/Desktop/jhead-3.00/jhead+0x402575)
#8 0x7efd4493382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x403998 in _start (/home/zhang123/Desktop/jhead-3.00/jhead+0x403998)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strnlen
==21157==ABORTING
This bug was found by Hanfang Zhang at Sichuan University. Request a
CVE ID. Thanks.
testfile
Description: Binary data
