Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 18 Nov 2016 16:55:12 +0800
From: "wykcomputer@...il.com" <wykcomputer@...il.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: [Bug report] Vulnerability In libbpg-2

Hello,
I find a out-of-bounds write issue in libbpg(0.9.7, maybe other early versions), which can lead to memory corruption or even remote code execution.
I have reported it to the author of libbpg, but no responding, so I report it to you.

Run ./bpgenc PoC.jpg out.bpg, get the crash as follows.
Crash Log:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004069ce in gray8_to_gray (s=0x7fffffffd320, y_ptr=0x0, 
    src=0x7ffff0000df0 "\233\264\237\255\257\252\256\253", '\254' <repeats 56 times>, 'Y' <repeats 24 times>, "\020\342T]P\023\233q\377\377\377\377\377\377\377\377", 'w' <repeats 64 times>, "vwx{uw~m\221", '\377' <repeats 23 times>..., n=65260, incr=1) at bpgenc.c:255
255         y_ptr[i] = (c * g + rnd) >> shift;
(gdb) bt
#0  0x00000000004069ce in gray8_to_gray (s=0x7fffffffd320, y_ptr=0x0, 
    src=0x7ffff0000df0 "\233\264\237\255\257\252\256\253", '\254' <repeats 56 times>, 'Y' <repeats 24 times>, "\020\342T]P\023\233q\377\377\377\377\377\377\377\377", 'w' <repeats 64 times>, "vwx{uw~m\221", '\377' <repeats 23 times>..., n=65260, incr=1) at bpgenc.c:255
#1  0x000000000040a0d3 in read_jpeg (pmd=0x7fffffffd8f8, f=0x11ca730, out_bit_depth=8) at bpgenc.c:1368
#2  0x000000000040a496 in load_image (pmd=0x7fffffffd978, infilename=0x7fffffffe28a "../libbpg-0.9.7/out_enc_jpg/crashes/0.jpg", color_space=BPG_CS_YCbCr, bit_depth=8, limited_range=0, 
    premultiplied_alpha=0) at bpgenc.c:1451
#3  0x000000000040e0e1 in main (argc=4, argv=0x7fffffffdeb8) at bpgenc.c:2942

read_jpeg function in bpgenc.c, img->data[i] = malloc(linesize * h1), linesize * h1 maybe integer over-flow(larger than 0xffffffff), this lead to malloc a smaller memory than expected, when execute to gray8_to_gray, maybe cause out-of-bounds write.

Image *read_jpeg(BPGMetaData **pmd, FILE *f, int out_bit_depth)
//...
img = image_alloc(w, h, format, has_alpha, color_space, out_bit_depth);
|
|->for(i = 0; i < c_count; i++) {
get_plane_res(img, &w1, &h1, i);
/* multiple of 16 pixels to add borders */
w1 = (w1 + (W_PAD - 1)) & ~(W_PAD - 1);
h1 = (h1 + (W_PAD - 1)) & ~(W_PAD - 1);

linesize = w1 << img->pixel_shift;
img->data[i] = malloc(linesize * h1);//maybe integer overflow

//...
ptr = (PIXEL *)(img->data[idx] + 
                                    img->linesize[idx] * (y1 + i));
        gray8_to_gray(cvt, ptr, rows[c_idx][i], w1, 1);
|
|->y_ptr[i] = (c * g + rnd) >> shift;

Fix:
To check the integer overflow issue. Such as,
linesize = w1 << img->pixel_shift;
+ uint64_t tmp = (uint64_t)linesize * h1;
+ if(tmp > 0xffffffff)
return NULL;
img->data[i] = malloc(linesize * h1);

Thank you for your reading!


wykcomputer@...il.com

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ