You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc. This vulnerability can lead to a Denial of Service (DoS).
ASAN Log
./src/jbig2 -s -a -p Poc1jbig2enc
=================================================================
==1464517==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000015470 at pc 0x555555560b51 bp 0x7fffffffdf70 sp 0x7fffffffdf60
READ of size 4 at 0x603000015470 thread T0
#0 0x555555560b50 in remove_templates /test2/jbig2enc/src/jbig2enc.cc:248#1 0x555555562efd in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:484#2 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492#3 0x7ffff6c1f082 in __libc_start_main ../csu/libc-start.c:308#4 0x55555555bf4d in _start (/test2/jbig2enc/src/jbig2+0x7f4d)
0x603000015470 is located 16 bytes inside of 24-byte region [0x603000015460,0x603000015478)
freed by thread T0 here:
#0 0x7ffff769251f in operator delete(void*) ../../../../src/libsanitizer/asan/asan_new_delete.cc:165#1 0x55555557a4f5 in __gnu_cxx::new_allocator<std::_List_node<int> >::deallocate(std::_List_node<int>*, unsigned long) (/test2/jbig2enc/src/jbig2+0x264f5)#2 0x5555555778f3 in std::allocator_traits<std::allocator<std::_List_node<int> > >::deallocate(std::allocator<std::_List_node<int> >&, std::_List_node<int>*, unsigned long) (/test2/jbig2enc/src/jbig2+0x238f3)#3 0x555555571fc7 in std::__cxx11::_List_base<int, std::allocator<int> >::_M_put_node(std::_List_node<int>*) (/test2/jbig2enc/src/jbig2+0x1dfc7)#4 0x55555556e28e in std::__cxx11::list<int, std::allocator<int> >::_M_erase(std::_List_iterator<int>) (/test2/jbig2enc/src/jbig2+0x1a28e)#5 0x55555556c1f4 in std::__cxx11::list<int, std::allocator<int> >::pop_back() (/test2/jbig2enc/src/jbig2+0x181f4)#6 0x555555560ba2 in remove_templates /test2/jbig2enc/src/jbig2enc.cc:251#7 0x555555562efd in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:484#8 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492#9 0x7ffff6c1f082 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7ffff7691587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104#1 0x55555557b669 in __gnu_cxx::new_allocator<std::_List_node<int> >::allocate(unsigned long, void const*) (/test2/jbig2enc/src/jbig2+0x27669)#2 0x55555557a524 in std::allocator_traits<std::allocator<std::_List_node<int> > >::allocate(std::allocator<std::_List_node<int> >&, unsigned long) (/test2/jbig2enc/src/jbig2+0x26524)#3 0x555555577918 in std::__cxx11::_List_base<int, std::allocator<int> >::_M_get_node() (/test2/jbig2enc/src/jbig2+0x23918)#4 0x55555557236d in std::_List_node<int>* std::__cxx11::list<int, std::allocator<int> >::_M_create_node<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x1e36d)#5 0x55555556e99f in void std::__cxx11::list<int, std::allocator<int> >::_M_insert<int const&>(std::_List_iterator<int>, int const&) (/test2/jbig2enc/src/jbig2+0x1a99f)#6 0x555555577cf2 in void std::__cxx11::list<int, std::allocator<int> >::emplace_back<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x23cf2)#7 0x5555555728f2 in void std::__cxx11::list<int, std::allocator<int> >::_M_initialize_dispatch<std::_List_const_iterator<int> >(std::_List_const_iterator<int>, std::_List_const_iterator<int>, std::__false_type) (/test2/jbig2enc/src/jbig2+0x1e8f2)#8 0x55555556ebe7 in std::__cxx11::list<int, std::allocator<int> >::list(std::__cxx11::list<int, std::allocator<int> > const&) (/test2/jbig2enc/src/jbig2+0x1abe7)#9 0x55555556cbb6 in std::pair<unsigned int, std::__cxx11::list<int, std::allocator<int> > >::pair<int&, std::__cxx11::list<int, std::allocator<int> >&, true>(int&, std::__cxx11::list<int, std::allocator<int> >&) (/test2/jbig2enc/src/jbig2+0x18bb6)#10 0x555555562cba in jbig2enc_auto_threshold_using_hash(jbig2ctx*) /test2/jbig2enc/src/jbig2enc.cc:471#11 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492#12 0x7ffff6c1f082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free /test2/jbig2enc/src/jbig2enc.cc:248 in remove_templates
Shadow bytes around the buggy address:
0x0c067fffaa30: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
0x0c067fffaa40: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c067fffaa50: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
0x0c067fffaa60: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
0x0c067fffaa70: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fffaa80: fd fd fd fa fa fa fd fd fd fa fa fa fd fd[fd]fa
0x0c067fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffaad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1464517==ABORTING
Reproduction
git clone https://github.com/agl/jbig2enc.git
cd jbig2enc
apt install libleptonica-dev
./autogen.sh
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure --disable-shared
make -j24
./src/jbig2 -s -a -p Poc1jbig2enc
heap-use-after-free in jbig2enc
Description
jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc. This vulnerability can lead to a Denial of Service (DoS).
ASAN Log
./src/jbig2 -s -a -p Poc1jbig2enc
Reproduction
PoC
Poc1jbig2enc: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/Poc1jbig2enc
Version
Reference
https://github.com/agl/jbig2enc
Environment
Credit
Zeng Yunxiang
The text was updated successfully, but these errors were encountered: