schnaader/precomp-cpp

Heap buffer overflow - jpg_parse_jfif

andrew-epstein opened this issue · 3 comments

andrew-epstein commented

OS: macOS 10.14.4
Compiled with afl-clang, with -fsanitize=address added to both CMAKE_C_FLAGS and CMAKE_CXX_FLAGS. Actual compiler is clang version 8.0.0 (note, NOT Apple LLVM).
Here's the output from AddressSanitizer:

==70370==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000002f2 at pc 0x0001008f450e bp 0x7ffeef4d09e0 sp 0x7ffeef4d09d8
READ of size 1 at 0x6120000002f2 thread T0
    #0 0x1008f450d in jpg_parse_jfif(unsigned char, unsigned int, unsigned char*) packjpg.cpp:4603
    #1 0x1008bc7da in decode_jpeg() packjpg.cpp:2424
    #2 0x1008b6558 in pjglib_convert_stream2mem(unsigned char**, unsigned int*, char*) packjpg.cpp:1744
    #3 0x100c3775b in try_decompression_jpg(long long, bool) precomp.cpp:6486
    #4 0x100bf1cd9 in compress_file(float, float) precomp.cpp:4122
    #5 0x100be1394 in main precomp.cpp:505
    #6 0x7fff7f65e3d4 in start (libdyld.dylib:x86_64+0x163d4)

0x6120000002f2 is located 0 bytes to the right of 306-byte region [0x6120000001c0,0x6120000002f2)
allocated by thread T0 here:
    #0 0x100fa2167 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x61167)
    #1 0x1008a9d7e in abytewriter::getptr() bitops.cpp:21
    #2 0x1008bbf61 in read_jpeg() packjpg.cpp:2208
    #3 0x1008b6459 in pjglib_convert_stream2mem(unsigned char**, unsigned int*, char*) packjpg.cpp:1744
    #4 0x100c3775b in try_decompression_jpg(long long, bool) precomp.cpp:6486
    #5 0x100bf1cd9 in compress_file(float, float) precomp.cpp:4122
    #6 0x100be1394 in main precomp.cpp:505
    #7 0x7fff7f65e3d4 in start (libdyld.dylib:x86_64+0x163d4)

SUMMARY: AddressSanitizer: heap-buffer-overflow packjpg.cpp:4603 in jpg_parse_jfif(unsigned char, unsigned int, unsigned char*)

Command line invocation was along the lines of the following:

./precomp -cn -t+j id\:000000\,src\:000003\,op\:flip1\,pos\:276

What is the best way to get the offending files to you? GitHub doesn't seem to want to let me attach them. They are small, so would a hex dump be good?
Please let me know if you need anything else; I'll be happy to provide to the best of my ability.

schnaader commented

What is the best way to get the offending files to you?

You can send them per mail (schnaader@gmx.de) or post a link to uploaded images and I'll attach them to the issues.

andrew-epstein commented

@schnaader I have emailed the files for all 3 issues to you.