jhead: heap-buffer-overflow at exif.c:339 in Get32s

[Shin-Yan]

Summary

An segmentation fault caused when using jhead.
AddressSanitizer reports it as heap-buffer-overflow

Version or commit

$ git log --oneline -1
4d04ac9 (HEAD -> master, tag: 3.08, origin/master, origin/HEAD) Bumped version number to 3.08

OS and Arch

Ubuntu 20.04.6 LTS
Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz

Steps to reproduce

make

$ git clone https://github.com/Matthias-Wandel/jhead.git
$ cd jhead
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make

AddressSanitizer report:

$ /home/fuzzer/sytseng/ASAN/jhead/jhead -v ./poc_341

==========================================================
==3271112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000024f at pc 0x558f05fd30dc bp 0x7ffc9ebe6f70 sp 0x7ffc9ebe6f60
READ of size 1 at 0x61100000024f thread T0
    #0 0x558f05fd30db in Get32s exif.c:339
    #1 0x558f05fd3558 in PrintFormatNumber exif.c:388
    #2 0x558f05fdb5be in ProcessGpsInfo gpsinfo.c:215
    #3 0x558f05fd5a3a in ProcessExifDir exif.c:884
    #4 0x558f05fd657d in process_EXIF exif.c:1063
    #5 0x558f05fcfd64 in ReadJpegSections jpgfile.c:290
    #6 0x558f05fcfd64 in ReadJpegSections jpgfile.c:118
    #7 0x558f05fd00e4 in ReadJpegFile jpgfile.c:385
    #8 0x558f05fcb296 in ProcessFile jhead.c:895
    #9 0x558f05fc8077 in main jhead.c:1805
    #10 0x7f987c5d6082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x558f05fc91ed in _start (/home/fuzzer/sytseng/ASAN/jhead/jhead+0x111ed)

0x61100000024f is located 3 bytes to the right of 204-byte region [0x611000000180,0x61100000024c)
allocated by thread T0 here:
    #0 0x7f987ca00808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x558f05fcf407 in ReadJpegSections jpgfile.c:175
    #2 0x558f05fcf407 in ReadJpegSections jpgfile.c:118

SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:339 in Get32s
Shadow bytes around the buggy address:
  0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8020: 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8040: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3271112==ABORTING

Poc