Matthias-Wandel
Jhead buffer overflow due to misuse of option "-ds"
When the option "-ds" is misused, the global array will overflow. jhead./jhead.c Line 1621-1644
}else if (!memcmp(arg,"-ds",3)){
// Set date feature
int a;
// Check date validity and copy it. Could be incompletely specified.
strcpy(DateSet, "0000:01:01");
for (a=0;arg[a+3];a++){
if (isdigit(DateSet[a])){
if (!isdigit(arg[a+3])){
a = 0;
break;
}
}else{
if (arg[a+3] != ':'){
a=0;
break;
}
}
DateSet[a] = arg[a+3];
}
if (a < 4 || a > 10){
ErrFatal("Date must be in format YYYY, YYYY:MM, or YYYY:MM:DD");
}
DateSetChars = a;
DoModify |= MODIFY_JPEG;
In main(),jhead parse command line options to parse the option "-ds". However, libsixel does not check properly. As a result, the program will cause buffer overflow when multiple ":" appear in the argument.
Test Environment
Ubuntu 20.04, 64 bit Jhead (master, 0e98605)
How to trigger
- Compile the program with AddressSanitizer
- Run command $ ./jhead -ds6666:66:66::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Details
ASAN report
$ ./jhead -ds6666:66:66::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Error : Date must be in format YYYY, YYYY:MM, or YYYY:MM:DD
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3631994==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f1f94eedcf6 bp 0x7ffe76b63290 sp 0x7ffe76b629d8 T0)
==3631994==The signal is caused by a READ memory access.
==3631994==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x7f1f94eedcf6 in __sanitizer::internal_strlen(char const*) ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:167
#1 0x7f1f94e817a5 in printf_common ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:545
#2 0x7f1f94e81d1e in __interceptor_vfprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1660
#3 0x7f1f94e81f3e in __interceptor___fprintf_chk ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1722
#4 0x564b9ea8ce2c in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:100
#5 0x564b9ea8ce2c in ErrFatal jhead.c:119
#6 0x564b9ea8c887 in main jhead.c:1643
#7 0x7f1f94b08082 in __libc_start_main ../csu/libc-start.c:308
#8 0x564b9ea8cb6d in _start (/home/ubuntu20/bug_report/jhead/crash/jhead+0xcb6d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:167 in __sanitizer::internal_strlen(char const*)
==3631994==ABORTING
Well, then don't do that.
------ Original Message ------ From: "randomssr" @.> To: "Matthias-Wandel/jhead" @.> Cc: "Subscribed" @.***> Sent: 2022-08-12 8:29:26 AM Subject: [Matthias-Wandel/jhead] Jhead buffer overflow due to misuse of option "-ds" (Issue #54)
When the option "-ds" is misused, the global array will overflow. jhead./jhead.c Line 1621-1644
}else if (!memcmp(arg,"-ds",3)){ // Set date feature int a; // Check date validity and copy it. Could be incompletely specified. strcpy(DateSet, "0000:01:01"); for (a=0;arg[a+3];a++){ if (isdigit(DateSet[a])){ if (!isdigit(arg[a+3])){ a = 0; break; } }else{ if (arg[a+3] != ':'){ a=0; break; } } DateSet[a] = arg[a+3]; } if (a < 4 || a > 10){ ErrFatal("Date must be in format YYYY, YYYY:MM, or YYYY:MM:DD"); } DateSetChars = a; DoModify |= MODIFY_JPEG;
In main(),jhead parse command line options to parse the option "-ds". However, libsixel does not check properly. As a result, the program will cause buffer overflow when multiple ":" appear in the argument.
Test Environment Ubuntu 20.04, 64 bit libsixel (master, 0e98605 https://github.com/Matthias-Wandel/jhead/commit/0e98605d0a08bc692b87ca878bb4dc7bdfc12471)
How to trigger Compile the program with AddressSanitizer Run command $ ./jhead -ds6666:66:66::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DetailsASAN report $ ./jhead -ds6666:66:66::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Error : Date must be in format YYYY, YYYY:MM, or YYYY:MM:DD AddressSanitizer:DEADLYSIGNAL
==3631994==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f1f94eedcf6 bp 0x7ffe76b63290 sp 0x7ffe76b629d8 T0) ==3631994==The signal is caused by a READ memory access. ==3631994==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used. #0 0x7f1f94eedcf6 in __sanitizer::internal_strlen(char const*) ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:167 #1 0x7f1f94e817a5 in printf_common ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:545 #2 0x7f1f94e81d1e in __interceptor_vfprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1660 #3 0x7f1f94e81f3e in __interceptor___fprintf_chk ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1722 #4 0x564b9ea8ce2c in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:100 #5 0x564b9ea8ce2c in ErrFatal jhead.c:119 #6 0x564b9ea8c887 in main jhead.c:1643 #7 0x7f1f94b08082 in __libc_start_main ../csu/libc-start.c:308 #8 0x564b9ea8cb6d in _start (/home/ubuntu20/bug_report/jhead/crash/jhead+0xcb6d)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:167 in __sanitizer::internal_strlen(char const*) ==3631994==ABORTING
— Reply to this email directly, view it on GitHub https://github.com/Matthias-Wandel/jhead/issues/54, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOSCO3F6DGKTFZNVRMW2XX3VYYYRNANCNFSM56LLRZ2A. You are receiving this because you are subscribed to this thread.Message ID: @.***>
