Bug 697457

Summary: jbig2dec-0.13 Heap Buffer Overflow Vulnerability (READ\WRITE) due to Integer Overflow in function jbig2_image_new
Product: jbig2dec Reporter: Bingchang <l.bingchang.bc>
Component: ParsingAssignee: Henry Stiles <henry.stiles>
Status: RESOLVED FIXED QA Contact: Bug traffic <gs-bugs>
Severity: normal    
Priority: P4 CC: dg.icepng, hertzog, shailesh.mistry
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Bingchang 2016-12-28 02:24:34 PST
#Overview
I have found one vulnerability when I fuzzed jbig2dec-0.13 using AFL (http://lcamtuf.coredump.cx/afl/). The vulnerability is caused by an Addition-1 integer overflow. The overflowed value will be passed to function ‘malloc’ as the SIZE parameter and a buffer with 0 size is allocated. Later, out-of-bound read/write can happen when accessing the buffer. Whether it’s an out-of-bound read vulnerability or out-of-bound write can be controlled by crafting the input .jb2 file. The vulnerability can cause Denial-of-Service (maybe corrupt some key memory data).


#Analysis

One of ASAN exceptions is:

=================================================================
==29018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c00a31 at pc 0xb7246c00 bp 0xbfa627c8 sp 0xbfa627b8
READ of size 1 at 0xb5c00a31 thread T0
    #0 0xb7246bff in jbig2_decode_gray_scale_image ../jbig2_halftone.c:345
    #1 0xb7247b39 in jbig2_decode_halftone_region ../jbig2_halftone.c:482
    #2 0xb72489c0 in jbig2_halftone_region ../jbig2_halftone.c:596
    #3 0xb722c423 in jbig2_parse_segment ../jbig2_segment.c:244
    #4 0xb7224905 in jbig2_data_in ../jbig2.c:312
    #5 0x804aee7 in main ../jbig2dec.c:456
    #6 0xb7054636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #7 0x8049200  (/home/fire/bing/afl/libraries/jbig2dec-0.13/build-gcc-asan/.libs/lt-jbig2dec+0x8049200)

0xb5c00a31 is located 0 bytes to the right of 1-byte region [0xb5c00a30,0xb5c00a31)
allocated by thread T0 here:
    #0 0xb72f2dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0xb722210d in jbig2_default_alloc ../jbig2.c:36
    #2 0xb72221e2 in jbig2_alloc ../jbig2.c:63
    #3 0xb7248e2d in jbig2_image_new ../jbig2_image.c:56
    #4 0xb7246390 in jbig2_decode_gray_scale_image ../jbig2_halftone.c:275
    #5 0xb7247b39 in jbig2_decode_halftone_region ../jbig2_halftone.c:482
    #6 0xb72489c0 in jbig2_halftone_region ../jbig2_halftone.c:596
    #7 0xb722c423 in jbig2_parse_segment ../jbig2_segment.c:244
    #8 0xb7224905 in jbig2_data_in ../jbig2.c:312
    #9 0x804aee7 in main ../jbig2dec.c:456
    #10 0xb7054636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../jbig2_halftone.c:345 jbig2_decode_gray_scale_image
Shadow bytes around the buggy address:
  0x36b800f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
  0x36b80100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b80110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b80120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b80130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x36b80140: fa fa 01 fa fa fa[01]fa fa fa 01 fa fa fa 01 fa
  0x36b80150: fa fa 00 00 fa fa 04 fa fa fa 05 fa fa fa 05 fa
  0x36b80160: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
  0x36b80170: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
  0x36b80180: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
  0x36b80190: fa fa 05 fa fa fa 05 fa fa fa 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29018==ABORTING

The attachment is a zip file which includes my detail analysis report and PoC files. In order to avoid disclosing it before corresponding patch is released, I have encrypted it. The developers can communicate with me to get the password. 

#Author
name: Bingchang, Liu @VARAS of IIE
email: l.bingchang.bc@gmail.com
Comment 1 Bingchang 2016-12-28 02:26:51 PST
Created attachment 13264 [details]
analysis report and poc file
Comment 2 Ken Sharp 2016-12-28 05:45:41 PST
The attachment is now marked private, so that only Artifex staff and the original reporter can view it. Please supply the password for the archive.
Comment 3 Bingchang 2016-12-28 16:03:28 PST
(In reply to Ken Sharp from comment #2)
> The attachment is now marked private, so that only Artifex staff and the
> original reporter can view it. Please supply the password for the archive.

The password is: 1228jbig2dec
Comment 4 Raphaël Hertzog 2017-01-20 02:19:10 PST
Hi Ken, when do you expect to publish a patch?

At least if the reproducer file was public, we could try to help you craft a fix. Right now we can only wait and ping you.
Comment 5 Ken Sharp 2017-01-20 02:27:52 PST
(In reply to Raphaël Hertzog from comment #4)
> Hi Ken, when do you expect to publish a patch?
> 
> At least if the reproducer file was public, we could try to help you craft a
> fix. Right now we can only wait and ping you.

*I* don't intend to publish a patch at all :-)

My involvement was simply to get the file attached here so that the code owner can work on it. I'm afraid this code isn't in my area so I can't answer the question, its up to the owner, in this case Henry.
Comment 6 Raphaël Hertzog 2017-01-20 03:12:17 PST
Ok, same question to Henri then. :-)

FTR this issue has been assigned CVE number CVE-2016-9601 so expect people to look for a fix:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9601
https://security-tracker.debian.org/tracker/CVE-2016-9601
Comment 7 Shailesh Mistry 2017-01-23 11:09:30 PST
This bug is not present in the latest version of the code in the git repository, both files run correctly and exit with the appropriate error message.

The bug was fixed in commit http://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=e698d5c11d27212aa1098bc5b1673a3378563092
Comment 8 Raphaël Hertzog 2017-01-24 01:19:04 PST
Since the fix is now available, can you make the attachment public so that we can verify that the patch effectively fixes the issue reported? (And so that I can double check my backport of your patch for the fixed version I want to upload in Debian 7 Wheezy).

Thank you in advance.
Comment 9 Henry Stiles 2017-01-24 07:22:00 PST
(In reply to Raphaël Hertzog from comment #8)
> Since the fix is now available, can you make the attachment public so that
> we can verify that the patch effectively fixes the issue reported? (And so
> that I can double check my backport of your patch for the fixed version I
> want to upload in Debian 7 Wheezy).
> 
> Thank you in advance.

A link was posted in Comment 7
Comment 10 Henry Stiles 2017-01-24 07:25:49 PST
(In reply to Shailesh Mistry from comment #7)
> This bug is not present in the latest version of the code in the git
> repository, both files run correctly and exit with the appropriate error
> message.
> 
> The bug was fixed in commit
> http://git.ghostscript.com/?p=jbig2dec.git;a=commit;
> h=e698d5c11d27212aa1098bc5b1673a3378563092

Thanks Shelly.  I assume users can either get the patch or wait for our next release in March.
Comment 11 Raphaël Hertzog 2017-01-24 08:20:37 PST
(In reply to Henry Stiles from comment #9)
> (In reply to Raphaël Hertzog from comment #8)
> > Since the fix is now available, can you make the attachment public so that
> > we can verify that the patch effectively fixes the issue reported? 
> 
> A link was posted in Comment 7

That's a link to the patch. I was looking for the attachment which contained the file(s) used to reproduce the problematic behavior (aka the .zip file that was sent by Bingchang).

https://bugs.ghostscript.com/attachment.cgi?id=13264 still says that I'm not authorized to access the attachment.
Comment 12 Henry Stiles 2017-01-24 08:38:57 PST
(In reply to Raphaël Hertzog from comment #11)
> (In reply to Henry Stiles from comment #9)
> > (In reply to Raphaël Hertzog from comment #8)
> > > Since the fix is now available, can you make the attachment public so that
> > > we can verify that the patch effectively fixes the issue reported? 
> > 
> > A link was posted in Comment 7
> 
> That's a link to the patch. I was looking for the attachment which contained
> the file(s) used to reproduce the problematic behavior (aka the .zip file
> that was sent by Bingchang).
> 
> https://bugs.ghostscript.com/attachment.cgi?id=13264 still says that I'm not
> authorized to access the attachment.


Yes, sorry a colleague pointed that out to me right after I made the change.  Anyway, no we certainly would not make the attachment public until our release in March, and even then I'd be reluctant to release it.