Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability - Action Required: heap-based buffer overflow vulnerability may in your project #103

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Security Vulnerability - Action Required: heap-based buffer overflow vulnerability may in your project #103

wants to merge 1 commit into from

Conversation

Crispy-fried-chicken
Copy link

Hi,
we have detected that your project may be vulnerable to heap-based buffer overflow in the function of simple_upscale in the file of src/3rdparty/libjpeg/src/jdlossls.c . It shares similarities to a recent CVE disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-2804 in the https://github.com/libjpeg-turbo/libjpeg-turbo.

The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2023-2804
Description: A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.
Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-2804
Patch: libjpeg-turbo/libjpeg-turbo@9f756bc

Would you help to check if this bug is true? If it's true, please review this pr. Thank you for your effort and patience!

@Crispy-fried-chicken
Lossless decomp: Range-limit 12-bit samples
b1855b3 
12-bit is the only data precision for which the range of the sample data
type exceeds the valid sample range, so it is possible to craft a 12-bit
lossless JPEG image that contains out-of-range 12-bit samples.
Attempting to decompress such an image using color quantization or merged
upsampling (NOTE: libjpeg-turbo cannot generate YCbCr or subsampled
lossless JPEG images, but it can decompress them) caused segfaults or
buffer overruns when those algorithms attempted to use the out-of-range
sample values as array indices.  This commit modifies the lossless
decompressor so that it range-limits the output of the scaler when using
12-bit samples.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Crispy-fried-chicken