<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2019-2201: libjpeg-turbo: code execution
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Wolfgang Frisch <wolfgang.frisch () suse com>
Date: Mon, 11 Nov 2019 17:49:45 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
there is an integer overflow and subsequent heap corruption in
libjpeg-turbo 2.0.3 and earlier. While I did not have anything to do
with the discovery of the issue [1][2], I'd like to raise attention due
to the high possible impact.
Steps to reproduce:
- Create a JPEG image, size 26755 x 26755, RGB with 8 bits per channel.
- Run gdb tjbench
(gdb) run reproducer.jpeg
Image size: 26755 x 26755
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7d44d9d in __memset_avx2_erms () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff7d44d9d in __memset_avx2_erms () from /lib64/libc.so.6
#1 0x0000555555558f7a in memset (__len=18446744071562074395, __ch=127, __dest=<optimized out>) at
/usr/include/bits/string_fortified.h:71
#2 decomp (srcBuf=0x0, jpegBuf=0x7fffffffd8e0, jpegSize=0x7fffffffd8e8, dstBuf=<optimized out>, w=26755, h=26755,
subsamp=2, jpegQual=0,
fileName=0x7fffffffdfaa "CVE-2019-2201-reproducer-SEGFAULT-26755x26755", tilew=26755, tileh=26755) at
/usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:174
#3 0x0000555555557103 in decompTest (fileName=0x7fffffffdfaa "CVE-2019-2201-reproducer-SEGFAULT-26755x26755") at
/usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:712
#4 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/libjpeg-turbo-2.0.3-56.1.x86_64/tjbench.c:1003
We identified that it crashed on writing to a libc.so mapping.
The reproducer is also described in our bug report [3].
[1] https://source.android.com/security/bulletin/2019-11-01
[2] https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
[3] https://bugzilla.suse.com/show_bug.cgi?id=1156402
Best regards,
Wolfgang Frisch
--
Wolfgang Frisch <wolfgang.frisch () suse com>
Security Engineer
OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nuremberg, Germany
(HRB 36809, AG Nürnberg)
Managing Director: Felix Imendörffer
Attachment:
signature.asc
Description: OpenPGP digital signature
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-2201: libjpeg-turbo: code execution Wolfgang Frisch (Nov 11)
Re: CVE-2019-2201: libjpeg-turbo: code execution pgajdos (Nov 12)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->