Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jp2a "print_image()" buffer-overflow vulnerability #12

Open
yangjiageng opened this issue Jun 25, 2020 · 1 comment
Open

jp2a "print_image()" buffer-overflow vulnerability #12

yangjiageng opened this issue Jun 25, 2020 · 1 comment

Comments

@yangjiageng
Copy link

Description:
There is a global-buffer-overflow bugs in jp2a/src/image.c:line 185 in print_image function.
This bug will cause an out-of-bounds read vulnerability.

The arguments--redweight, greenweight and blueweight are only checked "Weights RED+GREEN+BLUE must equal 1.0" in src/options.c line 333.

But if I input a huge argument of --RED but the sum of these three arguments equals to 1.0, the variable pos (src/image.c, line 183) will be more than the intended value.

Therefore, the value of the statement (invert? pos : chars - pos) will exceed 256 (the variable ascii_palette is a array which has 256 elements), so there is a buffer overflow in print_image function.

CommandLine: jp2a beauty.jpeg --red=65532 --green=-65531 --blue=0

==63250==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000073724b at pc 0x0000004f1dc2 bp 0x7ffd4fb0e6b0 sp 0x7ffd4fb0e6a8
READ of size 1 at 0x00000073724b thread T0
#0 0x4f1dc1 in print_image /root/Downloads/PoC/jp2a/src/image.c:185:40
#1 0x4f48c3 in decompress /root/Downloads/PoC/jp2a/src/image.c:447:2
#2 0x4eed95 in main /root/Downloads/PoC/jp2a/src/jp2a.c:103:4
#3 0x7f6d9addeb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#4 0x41bc89 in _start (/root/Downloads/PoC/jp2a/src/jp2a+0x41bc89)

Address 0x00000073724b is a wild pointer.
SUMMARY: AddressSanitizer: global-buffer-overflow /root/Downloads/PoC/jp2a/src/image.c:185:40 in print_image
Shadow bytes around the buggy address:
0x0000800dedf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0000800dee40: f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9
0x0000800dee50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==63250==ABORTING

image

System Configuration
jp2a 1.0.8
Copyright 2006-2016 Christian Stigen Larsen
Distributed under the GNU General Public License (GPL) v2.

Talinx added a commit to Talinx/jp2a that referenced this issue Aug 1, 2020
Setting weights like --red=65532 --green=-65531 --blue=0 were valid
(because they sum up to one), but cause a buffer-overflow when printing
an image.
This has been fixed and the weights system revised to be more
user-friendly (weights do not have to sum up to one, that happens
internally).

See: cslarsen#12
@Talinx
Copy link

Talinx commented Aug 1, 2020

This has now been fixed: Talinx@a63bdfa
The weights system is now a lot better. Negative values are rejected and the values do not have to sum up to one because jp2a can do that internally.

Thank you for the report!

(jp2a is now maintained here: Talinx/jp2a)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants