Potential Vulnerabilities

Question

Potential Vulnerabilities

shijiameng opened this issue a year ago · comments

Hello,

I found three potential vulnerabilities and report them in here.

Bug 1. Buffer overflow on JPEGIMAGE::sQuantTable due to corrupted quantization table selector (i.e., pJPEG->JPCI[n].quant_tbl_no). Buggy code:

https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3276
https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3277
https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L3278

Bug 2. Buffer overflow on JPEGIMAGE::usHuffAC field due to corrupted pJPEG->ucHufftableUsed field. Buggy code:

https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L1033

Bug 3. Buffer overflow on JPEGIMAGE::ucFileBuf due to corrupted JPEG header. Buggy code:

https://github.com/bitbank2/JPEGDEC/blob/master/src/jpeg.inl#L1387

Larry Bank · Answer 1 · Thu Apr 13 2023 19:57:48 GMT+0800 (China Standard Time)

I'm not very motivated to spend time worrying about potential vulnerabilities on software meant to run on embedded devices. Your labels of "buggy code" don't demonstrate any specific bugs. Do you have any proposed solutions?

Jiameng Shi · Answer 2 · Sat Apr 15 2023 00:06:52 GMT+0800 (China Standard Time)

Hello,

I'm sorry for the unclear illustration. I explain these bugs here again.

All these bugs are caused by corrupted JPEG header and missing the correctness check. Taking bug 1 as an example, quant_tbl_no is parsed from JPEG header. However, neither the correctness check of this value nor bound check is missing in the code L3276-L3278 of source file jpeg.inl. Therefore, this bug can be exploited by a corrupted JPEG file to overread the JPEGIMAGE::sQuantTable and there is a risk of leaking the data (e.g., perhaps some sensitive data) stored in the adjacent memory. Similarly, Bug 2 and Bug 3 might cause buffer overread and leaking the data in adjacent memory as well.

These bugs were found by fuzzing the library. I will make a pull request to help fix these bugs.

Larry Bank · Answer 3 · Sat Apr 15 2023 01:03:18 GMT+0800 (China Standard Time)

Your illustration was not unclear; I understand there are vulnerabilities. What I'm saying is this:

Code which doesn't include protections against vulnerabilities is not 'buggy'
I'm not concerned about vulnerabilities in this code. It's meant to run on $1 MCUs, not mission critical equipment. If you are motivated to patch it, I'll review your changes and merge them if you don't introduce new bugs.