oss-sec mailing list archives
Re: multiple memory corruption issues in lepton
From: cve-assign () mitre org
Date: Sun, 17 Jul 2016 10:32:56 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I just reported on dropbox/lepton github project some memory corruption issues, with reproducers. https://github.com/dropbox/lepton/issues/26
download some samples that will cause memory corruption problems in lepton: https://github.com/marcograss/marcograss.github.io/blob/master/assets/lepton_testcases1.zip?raw=true you can reproduce with ./lepton/lepton -singlethread -unjailed -preload testcase.jpeg /tmp/out.lep
AddressSanitizer: unknown-crash READ of size 208 #0 0x52eb78 in std::__atomic_base::load(std::memory_order) const /usr/include/c++/6/bits/atomic_base.h:396 #1 0x52eb78 in std::__atomic_base::operator unsigned int() const /usr/include/c++/6/bits/atomic_base.h:259 #2 0x52eb78 in print_bill(int) src/vp8/util/billing.cc:145 #3 0x46b7f3 in process_file(IOUtil::FileReader, IOUtil::FileWriter, int, bool) src/lepton/jpgcoder.cc:1616
Use CVE-2016-6234. We think this is an issue in Lepton code. We were unable to find any relationship between src/vp8/util/billing.cc and the https://github.com/webmproject/libvpx/tree/master/vp8 code.
AddressSanitizer: SEGV on unknown address #0 0x455163 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023
Use CVE-2016-6235.
AddressSanitizer: global-buffer-overflow READ of size 2 #0 0x4571f0 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023
Use CVE-2016-6236 for this buffer over-read issue.
AddressSanitizer: global-buffer-overflow WRITE of size 2 #0 0x45392c in build_huffcodes(unsigned char, unsigned char, huffCodes, huffTree) src/lepton/jpgcoder.cc:5099
Use CVE-2016-6237.
AddressSanitizer: global-buffer-overflow READ of size 2 #0 0x4fe248 in ProbabilityTablesBase::set_quantization_table(BlockType, unsigned short const) src/vp8/model/model.hh:233 #1 0x4fe248 in VP8ComponentEncoder::vp8_full_encoder(UncompressedComponents const, IOUtil::FileWriter, ThreadHandoff const, unsigned int) src/lepton/vp8_encoder.cc:465 #2 0x47b3a8 in write_ujpg(std::vector >, std::vector >) src/lepton/jpgcoder.cc:3660
Use CVE-2016-6238 for this buffer over-read issue. We think this is an issue in Lepton code. We were unable to find any relationship between src/vp8/model/model.hh and the https://github.com/webmproject/libvpx/tree/master/vp8 code. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXi5bEAAoJEHb/MwWLVhi2NgEP/3kibyFdWoOvdS0pi/zyPGq4 WnVyS1lgnjNKUH/eJSj2L0mpxh9ecW7SRojAxE5DG8W0KjZRH2KyNJDnSVq04BtW tgZv5SzUbAZpZ3g0mQo4hjXcfv9Iss3ajjHol7KliMIpU8gnquHRUJytKGHVjKyj uTFCIsQIv29yXGyU9A7999uuSlwWpKo6amJUh4q4ip14B75Ho9SDCOwjX6Zp7E7Z z0aoPUWRHaOIg3/1u3KPQ2JM0dapD+Z0R7Bo9I5uHWYA79shp5OQ4LeLCF8jMCHI Y2WOp2sQWxXBGoYPtbeCzvTFj+EAeXfLa6vI+oEFiYiQRaUzrbwN4PGgNJ00IISu 2snPbfeUxnwbTXjcs1eBS0kwlBBuCNjA619sdIuq8CV4qEXSHr4SR195j1dVa3kD aQOhp7IhTzvTwbhDrzccCcqnoduE3Gs9GfzS0QQfvYgPxkclRT3zIBFoKqJ9kgy6 mzBouOlWmCPzVD4PB2ugG5Aq7ChqDoTTwCmP+VoA9Ne736Y0s2FiEGPC5rKhLACW vjkHAjKLfV4hXbXfPRRL3FDZ2t3EV2CqFVer5+iJZgAY6DE7vYP/BSuqA/Qjrnl/ h+H1xnvBiW6V5MF+D7vmrdn8LzZ3Bj+G5KCdIAT7c0VtlFO6VM68LE1OyRGjcHID Fw2yhG0f2WXRJCB1eda6 =OEE8 -----END PGP SIGNATURE-----
Current thread:
- multiple memory corruption issues in lepton Marco Grassi (Jul 16)
- Re: multiple memory corruption issues in lepton cve-assign (Jul 17)