jbig2dec-vul

4 minutes read (About 609 words)

两个jbig2dec漏洞 fuzzing by afl

jbig2dec heap buffer overflow in function jbig2_decode_symbol_dict

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
=================================================================
==24598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5b03a80 at pc 0xb7ae9a75 bp 0xbfffd728 sp 0xbfffd2fc
READ of size 158687 at 0xb5b03a80 thread T0
    #0 0xb7ae9a74 in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8aa74)
    #1 0xb7ae9c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
    #2 0x80587ee in jbig2_decode_symbol_dict /home/icepng/Desktop/jbig2dec/jbig2_symbol_dict.c:644
    #3 0x805af6d in jbig2_symbol_dictionary /home/icepng/Desktop/jbig2dec/jbig2_symbol_dict.c:996
    #4 0x8051c35 in jbig2_parse_segment /home/icepng/Desktop/jbig2dec/jbig2_segment.c:234
    #5 0x804fb91 in jbig2_data_in /home/icepng/Desktop/jbig2dec/jbig2.c:312
    #6 0x804ab81 in main /home/icepng/Desktop/jbig2dec/jbig2dec.c:456
    #7 0xb78c1636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #8 0x8048fc0  (/home/icepng/Desktop/jbig2dec/jbig2dec+0x8048fc0)

0xb5b03a80 is located 0 bytes to the right of 2048-byte region [0xb5b03280,0xb5b03a80)
allocated by thread T0 here:
    #0 0xb7af5dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804d6df in jbig2_default_alloc /home/icepng/Desktop/jbig2dec/jbig2.c:36
    #2 0x804d781 in jbig2_alloc /home/icepng/Desktop/jbig2dec/jbig2.c:63
    #3 0x804e64b in jbig2_data_in /home/icepng/Desktop/jbig2dec/jbig2.c:213
    #4 0x804ab81 in main /home/icepng/Desktop/jbig2dec/jbig2dec.c:456
    #5 0xb78c1636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

CVE-2017-7885
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885

jbig2dec-0.13 Integer Overflow in function jbig2_image_compose

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
=================================================================
==3138==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c00497 at pc 0xb71c3c44 bp 0xbfdc3408 sp 0xbfdc33f8
READ of size 1 at 0xb5c00497 thread T0
    #0 0xb71c3c43 in jbig2_image_compose /home/icepng/icepng/jbig2dec/jbig2_image.c:281
    #1 0xb71b4b9c in jbig2_decode_text_region /home/icepng/icepng/jbig2dec/jbig2_text.c:442
    #2 0xb71b703c in jbig2_text_region /home/icepng/icepng/jbig2dec/jbig2_text.c:858
    #3 0xb71abd0e in jbig2_parse_segment /home/icepng/icepng/jbig2dec/jbig2_segment.c:238
    #4 0xb71a51a5 in jbig2_data_in /home/icepng/icepng/jbig2dec/jbig2.c:312
    #5 0x80495e9 in main /home/icepng/icepng/jbig2dec/jbig2dec.c:456
    #6 0xb7000636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #7 0x804a03f  (/home/icepng/icepng/jbig2dec/.libs/lt-jbig2dec+0x804a03f)

0xb5c00497 is located 0 bytes to the right of 7-byte region [0xb5c00490,0xb5c00497)
allocated by thread T0 here:
    #0 0xb726bdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0xb71a3969 in jbig2_default_alloc /home/icepng/icepng/jbig2dec/jbig2.c:36
    #2 0xb71a3ae3 in jbig2_alloc /home/icepng/icepng/jbig2dec/jbig2.c:63
    #3 0xb71c2643 in jbig2_image_new /home/icepng/icepng/jbig2dec/jbig2_image.c:63
    #4 0xb71b273a in jbig2_decode_symbol_dict /home/icepng/icepng/jbig2dec/jbig2_symbol_dict.c:678
    #5 0xb71b273a in jbig2_symbol_dictionary /home/icepng/icepng/jbig2dec/jbig2_symbol_dict.c:996
    #6 0xb71abbee in jbig2_parse_segment /home/icepng/icepng/jbig2dec/jbig2_segment.c:234
    #7 0xb71a51a5 in jbig2_data_in /home/icepng/icepng/jbig2dec/jbig2.c:312
    #8 0x80495e9 in main /home/icepng/icepng/jbig2dec/jbig2dec.c:456
    #9 0xb7000636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

CVE-2017-7976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976

PoDoFo 0.9.5 NULL pointer dereference pwntools 介绍
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×