Bug#969593: Heap overflow in libjbig.

Sat, 05 Sep 2020 09:27:19 -0700 

Package: jbigkit
Version: 2.1

Casper Sun
slei.cas...@gmail.com



> On Sep 6, 2020, at 12:12 AM, Casper Sun <slei.cas...@gmail.com> wrote:
> 
> Hi,
> 
> Libjbig version 2.1 has a heap overflow vulnerability in jbg_newlen in jbig.c.
> 
> Stack trace:
> ```
> ==65175==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x6040000000b3 at pc 0x000000515757 bp 0x7fffffffdb20 sp 0x7fffffffdb18
> READ of size 1 at 0x6040000000b3 thread T0
>    #0 0x515756 in jbg_newlen 
> /home/casper/targets/struct/libjbig/afl/BUILD/libjbig/jbig.c:3278:16
>    #1 0x4f03bd in main 
> /home/casper/targets/struct/libjbig/afl/BUILD/pbmtools/jbgtopbm.c:394:14
>    #2 0x7ffff6e24b96 in __libc_start_main 
> /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
>    #3 0x41ae99 in _start 
> (/home/casper/targets/struct/libjbig/afl/fuzzrun/jbgtopbm+0x41ae99)
> 
> 0x6040000000b3 is located 0 bytes to the right of 35-byte region 
> [0x604000000090,0x6040000000b3)
> allocated by thread T0 here:
>    #0 0x4a7de8 in realloc 
> /home/casper/fuzz/fuzzdeps/llvm-9.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:164
>    #1 0x4ec0d6 in read_file 
> /home/casper/targets/struct/libjbig/afl/BUILD/pbmtools/jbgtopbm.c:78:28
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /home/casper/targets/struct/libjbig/afl/BUILD/libjbig/jbig.c:3278:16 in 
> jbg_newlen
> Shadow bytes around the buggy address:
>  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05
> =>0x0c087fff8010: fa fa 00 00 00 00[03]fa fa fa fa fa fa fa fa fa
>  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:       fa
>  Freed heap region:       fd
>  Stack left redzone:      f1
>  Stack mid redzone:       f2
>  Stack right redzone:     f3
>  Stack after return:      f5
>  Stack use after scope:   f8
>  Global redzone:          f9
>  Global init order:       f6
>  Poisoned by user:        f7
>  Container overflow:      fc
>  Array cookie:            ac
>  Intra object redzone:    bb
>  ASan internal:           fe
>  Left alloca redzone:     ca
>  Right alloca redzone:    cb
>  Shadow gap:              cc
> ```
> 
> Reproduce steps:
> 1. Compile libjbig with as an
> 2. Run command line `./jbgtopbm poc`
> 
> <poc>
> 
> 
> Best regards,
> Casper
> 
>

Reply via email to