Menu

FreeImage 3.18.0 1byte OOB Read

3kyo0
2023-02-20
2023-04-06
  • 3kyo0

    3kyo0 - 2023-02-20
    ==3820756==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000001995  
    at pc 0x5627bb77696f bp 0x7ffc771a50d0 sp 0x7ffc771a50c0 READ of size 1 at 0x612000001995 thread T0 
    #0 0x5627bb77696e in ReadInt32 Source/Metadata/Exif.cpp:120 #1 0x5627bb785e15 in ReadUint32 Source/Metadata/Exif.cpp:138 
    #2 0x5627bb785e15 in jpeg_read_exif_dir Source/Metadata/Exif.cpp:723 
    #3 0x5627bb78a6c8 in jpegxr_read_exif_gps_profile Source/Metadata/Exif.cpp:955 
    #4 0x5627bb6089d5 in ReadMetadata Source/FreeImage/PluginJXR.cpp:607 
    #5 0x5627bb6089d5 in Load Source/FreeImage/PluginJXR.cpp:1186 
    #6 0x5627bb560a76 in FreeImage_LoadFromHandle Source/FreeImage/Plugin.cpp:388 
    #7 0x5627bb560dd5 in FreeImage_Load Source/FreeImage/Plugin.cpp:408 
    #8 0x5627bb501abb in testClone(char const*) /home/akuma/FreeImage/TestAPI/testImageType.cpp:34 
    #9 0x5627bb502100 in testAllocateCloneUnload(char const*) /home/akuma/FreeImage/TestAPI/testImageType.cpp:56 
    #10 0x5627bb4eeaa2 in main /home/akuma/FreeImage/TestAPI/MainTestSuite.cpp:69 
    #11 0x7f696c2480b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 
    #12 0x5627bb4fc16d in _start (/home/akuma/FreeImage/TestAPI/testAPI+0x1b716d) Address 0x612000001995 is a wild pointer. 
    SUMMARY: AddressSanitizer: heap-buffer-overflow
    Source/Metadata/Exif.cpp:120 in ReadInt32 Shadow bytes
    around the buggy address: 
    0x0c247fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
    0x0c247fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
    0x0c247fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
    0x0c247fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c247fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
    =>0x0c247fff8330: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 
    0x0c247fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
    0x0c247fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
    0x0c247fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    

    [CVE-ID]
    CVE-2021-33367
    [Product]
    FreeImage 3.18.0
    [Version]
    FreeImage 3.18.0
    [Discoverer]
    3kyo0
    [Vulnerability Type]
    Buffer Overflow
    [Description]
    Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file.

     
  • Robert Scott

    Robert Scott - 2023-04-06

    Hi 3kyo0,

    Looks like you're unlikely to get a reply from an author here any time soon. You haven't published the example input you used to get this, but I'd be interested if the following patch fragment resolves it:

    --- a/Source/Metadata/Exif.cpp
    +++ b/Source/Metadata/Exif.cpp
    @@ -719,8 +719,13 @@ jpeg_read_exif_dir(FIBITMAP *dib, const BYTE *tiffp, DWORD dwOffsetIfd0, DWORD d
            //
    
            const WORD entriesCount0th = ReadUint16(msb_order, ifd0th);
    +
    +       const BYTE* de_addr = DIR_ENTRY_ADDR(ifd0th, entriesCount0th);
    +       if(de_addr+4 >= (BYTE*)(dwLength + ifd0th - tiffp)) {
    +               return TRUE; //< no thumbnail
    +       }
    
    -       DWORD next_offset = ReadUint32(msb_order, DIR_ENTRY_ADDR(ifd0th, entriesCount0th));
    +       DWORD next_offset = ReadUint32(msb_order, de_addr);
            if((next_offset == 0) || (next_offset >= dwLength)) {
                    return TRUE; //< no thumbnail
            }
    
     

Log in to post a comment.