Re: multiple memory corruption issues in lepton

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I just reported on dropbox/lepton github project some memory corruption
> issues, with reproducers.
>
> https://github.com/dropbox/lepton/issues/26

> > download some samples that will cause memory corruption problems in lepton:
> >
> > https://github.com/marcograss/marcograss.github.io/blob/master/assets/lepton_testcases1.zip?raw=true
> >
> > you can reproduce with ./lepton/lepton -singlethread -unjailed -preload testcase.jpeg /tmp/out.lep

> > AddressSanitizer: unknown-crash
> > READ of size 208
> > #0 0x52eb78 in std::__atomic_base::load(std::memory_order) const /usr/include/c++/6/bits/atomic_base.h:396
> > #1 0x52eb78 in std::__atomic_base::operator unsigned int() const /usr/include/c++/6/bits/atomic_base.h:259
> > #2 0x52eb78 in print_bill(int) src/vp8/util/billing.cc:145
> > #3 0x46b7f3 in process_file(IOUtil::FileReader, IOUtil::FileWriter, int, bool) src/lepton/jpgcoder.cc:1616

Use CVE-2016-6234. We think this is an issue in Lepton code. We were
unable to find any relationship between src/vp8/util/billing.cc and
the https://github.com/webmproject/libvpx/tree/master/vp8 code.


> > AddressSanitizer: SEGV on unknown address
> > #0 0x455163 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023

Use CVE-2016-6235.


> > AddressSanitizer: global-buffer-overflow
> > READ of size 2
> > #0 0x4571f0 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023

Use CVE-2016-6236 for this buffer over-read issue.


> > AddressSanitizer: global-buffer-overflow
> > WRITE of size 2
> > #0 0x45392c in build_huffcodes(unsigned char, unsigned char, huffCodes, huffTree) src/lepton/jpgcoder.cc:5099

Use CVE-2016-6237.


> > AddressSanitizer: global-buffer-overflow
> > READ of size 2
> > #0 0x4fe248 in ProbabilityTablesBase::set_quantization_table(BlockType, unsigned short const) 
> > src/vp8/model/model.hh:233
> > #1 0x4fe248 in VP8ComponentEncoder::vp8_full_encoder(UncompressedComponents const, IOUtil::FileWriter, ThreadHandoff 
> > const, unsigned int) src/lepton/vp8_encoder.cc:465
> > #2 0x47b3a8 in write_ujpg(std::vector >, std::vector >) src/lepton/jpgcoder.cc:3660

Use CVE-2016-6238 for this buffer over-read issue. We think this is an
issue in Lepton code. We were unable to find any relationship between
src/vp8/model/model.hh and the
https://github.com/webmproject/libvpx/tree/master/vp8 code.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXi5bEAAoJEHb/MwWLVhi2NgEP/3kibyFdWoOvdS0pi/zyPGq4
WnVyS1lgnjNKUH/eJSj2L0mpxh9ecW7SRojAxE5DG8W0KjZRH2KyNJDnSVq04BtW
tgZv5SzUbAZpZ3g0mQo4hjXcfv9Iss3ajjHol7KliMIpU8gnquHRUJytKGHVjKyj
uTFCIsQIv29yXGyU9A7999uuSlwWpKo6amJUh4q4ip14B75Ho9SDCOwjX6Zp7E7Z
z0aoPUWRHaOIg3/1u3KPQ2JM0dapD+Z0R7Bo9I5uHWYA79shp5OQ4LeLCF8jMCHI
Y2WOp2sQWxXBGoYPtbeCzvTFj+EAeXfLa6vI+oEFiYiQRaUzrbwN4PGgNJ00IISu
2snPbfeUxnwbTXjcs1eBS0kwlBBuCNjA619sdIuq8CV4qEXSHr4SR195j1dVa3kD
aQOhp7IhTzvTwbhDrzccCcqnoduE3Gs9GfzS0QQfvYgPxkclRT3zIBFoKqJ9kgy6
mzBouOlWmCPzVD4PB2ugG5Aq7ChqDoTTwCmP+VoA9Ne736Y0s2FiEGPC5rKhLACW
vjkHAjKLfV4hXbXfPRRL3FDZ2t3EV2CqFVer5+iJZgAY6DE7vYP/BSuqA/Qjrnl/
h+H1xnvBiW6V5MF+D7vmrdn8LzZ3Bj+G5KCdIAT7c0VtlFO6VM68LE1OyRGjcHID
Fw2yhG0f2WXRJCB1eda6
=OEE8
-----END PGP SIGNATURE-----