Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap buffer overflow is found in jpeg.c #3137

Closed
iwashiira opened this issue May 10, 2024 · 1 comment
Closed

heap buffer overflow is found in jpeg.c #3137

iwashiira opened this issue May 10, 2024 · 1 comment

Comments

@iwashiira
Copy link
Contributor

Our fuzzer found heap buffer overflow in jpeg.c.in the current main(9ba1504).

Following is an output of valgrind.
vuln24.jpg is in vuln24.zip

==27100== Memcheck, a memory error detector
==27100== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==27100== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==27100== Command: ./build/bin/lws-api-test-jpeg --stdin ../crash/vuln24.jpg
==27100==
[2024/05/10 13:07:31:7922] U: LWS JPEG test tool
[2024/05/10 13:07:31:8557] W: read_sof_marker: 529 x 566
==27100== Invalid write of size 1
==27100==    at 0x11E044: lws_jpeg_mcu_next (jpeg.c:2454)
==27100==    by 0x11E78F: lws_jpeg_emit_next_line (jpeg.c:2670)
==27100==    by 0x1135E0: main (main.c:100)
==27100==  Address 0x4f82fc5 is 21 bytes after a block of size 25,392 alloc'd
==27100==    at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==27100==    by 0x168612: _realloc (alloc.c:151)
==27100==    by 0x1686E3: lws_zalloc (alloc.c:212)
==27100==    by 0x11E6EC: lws_jpeg_emit_next_line (jpeg.c:2646)
==27100==    by 0x1135E0: main (main.c:100)
==27100==
==27100== Invalid write of size 1
==27100==    at 0x11E05D: lws_jpeg_mcu_next (jpeg.c:2455)
==27100==    by 0x11E78F: lws_jpeg_emit_next_line (jpeg.c:2670)
==27100==    by 0x1135E0: main (main.c:100)
==27100==  Address 0x4f82fc6 is 22 bytes after a block of size 25,392 alloc'd
==27100==    at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==27100==    by 0x168612: _realloc (alloc.c:151)
==27100==    by 0x1686E3: lws_zalloc (alloc.c:212)
==27100==    by 0x11E6EC: lws_jpeg_emit_next_line (jpeg.c:2646)
==27100==    by 0x1135E0: main (main.c:100)
==27100==
==27100== Invalid write of size 1
==27100==    at 0x11E076: lws_jpeg_mcu_next (jpeg.c:2456)
==27100==    by 0x11E78F: lws_jpeg_emit_next_line (jpeg.c:2670)
==27100==    by 0x1135E0: main (main.c:100)
==27100==  Address 0x4f82fc7 is 23 bytes after a block of size 25,392 alloc'd
==27100==    at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==27100==    by 0x168612: _realloc (alloc.c:151)
==27100==    by 0x1686E3: lws_zalloc (alloc.c:212)
==27100==    by 0x11E6EC: lws_jpeg_emit_next_line (jpeg.c:2646)
==27100==    by 0x1135E0: main (main.c:100)
==27100==
...
[omission]
...
[2024/05/10 13:07:31:9384] E: main: failed to read: 0
[2024/05/10 13:07:31:9405] U: Completed: PASS (read 3536)
==27100==
==27100== HEAP SUMMARY:
==27100==     in use at exit: 0 bytes in 0 blocks
==27100==   total heap usage: 7 allocs, 7 frees, 32,196 bytes allocated
==27100==
==27100== All heap blocks were freed -- no leaks are possible
==27100==
==27100== For lists of detected and suppressed errors, rerun with: -s
==27100== ERROR SUMMARY: 24 errors from 3 contexts (suppressed: 0 from 0)

It is caused by this line.

libwebsockets/lib/misc/jpeg.c

Lines 2643 to 2644 in 9ba1504

mcu_buf_len = (size_t)(j->image_width * j->frame_comps *
j->mcu_max_size_y);

max pDst = j->lines + (j->mcu_max_row * j->mcu_max_size_x * j->frame_comps) + (j->mcu_max_size_y * row_pitch) + (j->mcu_max_size_x * j->frame_comps) + (by_limit * row_pitch) + (bx_limit * 3)
Hence, the following checks are not sufficient

libwebsockets/lib/misc/jpeg.c

Lines 2472 to 2473 in 9ba1504

if (dr >= j->lines + (row_pitch * j->mcu_max_size_y))
dr -= j->mcu_max_size_y * row_pitch;

Ricerca Security, Inc.
@iwashiira iwashiira mentioned this issue May 10, 2024
Closed
@lws-team
Copy link
Member

Thanks, I pushed 3138

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

extend mcu_buf_len so that pDst does not cause OOB iwashiira/libwebsockets
2 participants
@lws-team @iwashiira