lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2017 21:51:28 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] minidjvu multiple vulnerabilities

minidjvu multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
minidjvu is a command line utility which encodes and decodes single page black-and-white DjVu files, and can compress multiple pages, taking advantage from similarities between pages.


Affected version:
=====
0.8


Vulnerability Description:
==========================
1.
the row_is_empty function in base/4bitmap.c:274 in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.


./minidjvu minidjvu_0.8_invalid_memory_read_1.djvu out.tiff


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
row_is_empty (y=y@...ry=-1, bmp=0x6235d0, bmp=0x6235d0) at base/4bitmap.c:274
274    if (row[bytes_to_check] & mask) return 0;
(gdb) bt
#0  row_is_empty (y=y@...ry=-1, bmp=0x6235d0, bmp=0x6235d0)
    at base/4bitmap.c:274
#1  0x00007ffff7bc378c in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x6235d0, 
    pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac, 
    pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
    at base/4bitmap.c:309
#2  0x00007ffff7bc3800 in mdjvu_bitmap_remove_margins (b=0x6235d0, 
    px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:321
#3  0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590, 
    with_blit=with_blit@...ry=true, proto=<optimized out>)
    at jb2/jb2load.cpp:37
#4  0x00007ffff7bd0542 in mdjvu_file_load_jb2 (file=file@...ry=0x607050, 
    length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
    at jb2/jb2load.cpp:114
#5  0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050, 
    perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6  0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
    path=path@...ry=0x7fffffffe315 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7  0x0000000000402e12 in load_image (
    path=0x7fffffffe315 "/home/a/Documents/file.djvu")
    at minidjvu.c:187
#8  0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
---Type <return> to continue, or q <return> to quit---
    at minidjvu.c:333
#9  main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble 
Dump of assembler code for function row_is_empty:
   0x00007ffff7bc3090 <+0>:lea    0x7(%rsi),%ecx
   0x00007ffff7bc3093 <+3>:movslq %edx,%rdx
   0x00007ffff7bc3096 <+6>:mov    (%rdi,%rdx,8),%rdi
   0x00007ffff7bc309a <+10>:sar    $0x3,%ecx
   0x00007ffff7bc309d <+13>:sub    $0x1,%ecx
   0x00007ffff7bc30a0 <+16>:test   %ecx,%ecx
   0x00007ffff7bc30a2 <+18>:jle    0x7ffff7bc30c9 <row_is_empty+57>
   0x00007ffff7bc30a4 <+20>:cmpb   $0x0,(%rdi)
   0x00007ffff7bc30a7 <+23>:jne    0x7ffff7bc30f0 <row_is_empty+96>
   0x00007ffff7bc30a9 <+25>:lea    0x1(%rdi),%rdx
   0x00007ffff7bc30ad <+29>:xor    %eax,%eax
   0x00007ffff7bc30af <+31>:jmp    0x7ffff7bc30c2 <row_is_empty+50>
   0x00007ffff7bc30b1 <+33>:nopl   0x0(%rax)
   0x00007ffff7bc30b8 <+40>:add    $0x1,%rdx
   0x00007ffff7bc30bc <+44>:cmpb   $0x0,-0x1(%rdx)
   0x00007ffff7bc30c0 <+48>:jne    0x7ffff7bc30f0 <row_is_empty+96>
   0x00007ffff7bc30c2 <+50>:add    $0x1,%eax
   0x00007ffff7bc30c5 <+53>:cmp    %ecx,%eax
   0x00007ffff7bc30c7 <+55>:jne    0x7ffff7bc30b8 <row_is_empty+40>
   0x00007ffff7bc30c9 <+57>:movslq %ecx,%rax
   0x00007ffff7bc30cc <+60>:shl    $0x3,%ecx
=> 0x00007ffff7bc30cf <+63>:movzbl (%rdi,%rax,1),%edx
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bc30d3 <+67>:sub    %esi,%ecx
   0x00007ffff7bc30d5 <+69>:mov    $0xff,%eax
   0x00007ffff7bc30da <+74>:add    $0x8,%ecx
   0x00007ffff7bc30dd <+77>:shl    %cl,%eax
   0x00007ffff7bc30df <+79>:test   %eax,%edx
   0x00007ffff7bc30e1 <+81>:sete   %al
   0x00007ffff7bc30e4 <+84>:movzbl %al,%eax
   0x00007ffff7bc30e7 <+87>:retq   
   0x00007ffff7bc30e8 <+88>:nopl   0x0(%rax,%rax,1)
   0x00007ffff7bc30f0 <+96>:xor    %eax,%eax
   0x00007ffff7bc30f2 <+98>:retq   
End of assembler dump.
(gdb) i r
rax            0x00
rbx            0xffffffff4294967295
rcx            0x00
rdx            0xffffffffffffffff-1
rsi            0x11
rdi            0x2133
rbp            0x00x0
rsp            0x7fffffffcd180x7fffffffcd18
r8             0x00
r9             0xffffffff4294967295
r10            0xffffffff4294967295
r11            0x00
r12            0x6234206435872
r13            0x11
r14            0x6235d06436304
r15            0x11
rip            0x7ffff7bc30cf0x7ffff7bc30cf <row_is_empty+63>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb) 


POC:
minidjvu_0.8_invalid_memory_read_1.djvu
CVE:
CVE-2017-12441


2.
the row_is_empty function in base/4bitmap.c:272 in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.


./minidjvu minidjvu_0.8_invalid_memory_read_2.djvu out.tiff


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
row_is_empty (y=y@...ry=-1, bmp=0x614050, bmp=0x614050) at base/4bitmap.c:272
272        if (row[i]) return 0;
(gdb) bt
#0  row_is_empty (y=y@...ry=-1, bmp=0x614050, bmp=0x614050)
    at base/4bitmap.c:272
#1  0x00007ffff7bc378c in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x614050, 
    pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac, 
    pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
    at base/4bitmap.c:309
#2  0x00007ffff7bc3800 in mdjvu_bitmap_remove_margins (b=0x614050, 
    px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:321
#3  0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590, 
    with_blit=with_blit@...ry=true, proto=proto@...ry=0x0)
    at jb2/jb2load.cpp:37
#4  0x00007ffff7bd05bb in mdjvu_file_load_jb2 (file=file@...ry=0x607050, 
    length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
    at jb2/jb2load.cpp:91
#5  0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050, 
    perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6  0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
    path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7  0x0000000000402e12 in load_image (
    path=0x7fffffffe314 "/home/a/Documents/file.djvu")
    at minidjvu.c:187
#8  0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
---Type <return> to continue, or q <return> to quit---
    at minidjvu.c:333
#9  main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble 
Dump of assembler code for function row_is_empty:
   0x00007ffff7bc3090 <+0>:lea    0x7(%rsi),%ecx
   0x00007ffff7bc3093 <+3>:movslq %edx,%rdx
   0x00007ffff7bc3096 <+6>:mov    (%rdi,%rdx,8),%rdi
   0x00007ffff7bc309a <+10>:sar    $0x3,%ecx
   0x00007ffff7bc309d <+13>:sub    $0x1,%ecx
   0x00007ffff7bc30a0 <+16>:test   %ecx,%ecx
   0x00007ffff7bc30a2 <+18>:jle    0x7ffff7bc30c9 <row_is_empty+57>
=> 0x00007ffff7bc30a4 <+20>:cmpb   $0x0,(%rdi)
   0x00007ffff7bc30a7 <+23>:jne    0x7ffff7bc30f0 <row_is_empty+96>
   0x00007ffff7bc30a9 <+25>:lea    0x1(%rdi),%rdx
   0x00007ffff7bc30ad <+29>:xor    %eax,%eax
   0x00007ffff7bc30af <+31>:jmp    0x7ffff7bc30c2 <row_is_empty+50>
   0x00007ffff7bc30b1 <+33>:nopl   0x0(%rax)
   0x00007ffff7bc30b8 <+40>:add    $0x1,%rdx
   0x00007ffff7bc30bc <+44>:cmpb   $0x0,-0x1(%rdx)
   0x00007ffff7bc30c0 <+48>:jne    0x7ffff7bc30f0 <row_is_empty+96>
   0x00007ffff7bc30c2 <+50>:add    $0x1,%eax
   0x00007ffff7bc30c5 <+53>:cmp    %ecx,%eax
   0x00007ffff7bc30c7 <+55>:jne    0x7ffff7bc30b8 <row_is_empty+40>
   0x00007ffff7bc30c9 <+57>:movslq %ecx,%rax
   0x00007ffff7bc30cc <+60>:shl    $0x3,%ecx
   0x00007ffff7bc30cf <+63>:movzbl (%rdi,%rax,1),%edx
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bc30d3 <+67>:sub    %esi,%ecx
   0x00007ffff7bc30d5 <+69>:mov    $0xff,%eax
   0x00007ffff7bc30da <+74>:add    $0x8,%ecx
   0x00007ffff7bc30dd <+77>:shl    %cl,%eax
   0x00007ffff7bc30df <+79>:test   %eax,%edx
   0x00007ffff7bc30e1 <+81>:sete   %al
   0x00007ffff7bc30e4 <+84>:movzbl %al,%eax
   0x00007ffff7bc30e7 <+87>:retq   
   0x00007ffff7bc30e8 <+88>:nopl   0x0(%rax,%rax,1)
   0x00007ffff7bc30f0 <+96>:xor    %eax,%eax
   0x00007ffff7bc30f2 <+98>:retq   
End of assembler dump.
(gdb) i r
rax            0x80128
rbx            0xffffffff4294967295
rcx            0x22
rdx            0xffffffffffffffff-1
rsi            0x1420
rdi            0x2133
rbp            0x00x0
rsp            0x7fffffffcd180x7fffffffcd18
r8             0x00
r9             0xffffffff4294967295
r10            0xce206
r11            0x00
r12            0x6140706373488
r13            0x1420
r14            0x6140506373456
r15            0x33
rip            0x7ffff7bc30a40x7ffff7bc30a4 <row_is_empty+20>
eflags         0x10202[ IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb)


POC:
minidjvu_0.8_invalid_memory_read_2.djvu
CVE:
CVE-2017-12442


3.
the mdjvu_bitmap_pack_row function in base/4bitmap.c in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.


./minidjvu minidjvu_0.8_invalid_memory_read_3.djvu out.tiff


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc330d in mdjvu_bitmap_pack_row (b=b@...ry=0x6170c0, 
    bytes=0x627001 <error: Cannot access memory at address 0x627001>, 
    bytes@...ry=0x617140 "", y=y@...ry=0) at base/4bitmap.c:141
141        if (*bytes++) a |= coef;
(gdb) bt
#0  0x00007ffff7bc330d in mdjvu_bitmap_pack_row (b=b@...ry=0x6170c0, 
    bytes=0x627001 <error: Cannot access memory at address 0x627001>, 
    bytes@...ry=0x617140 "", y=y@...ry=0) at base/4bitmap.c:141
#1  0x00007ffff7bc3576 in mdjvu_bitmap_crop (b=b@...ry=0x617160, 
    left=<optimized out>, top=0, w=<optimized out>, h=<optimized out>)
    at base/4bitmap.c:253
#2  0x00007ffff7bc3839 in mdjvu_bitmap_remove_margins (b=0x617160, 
    px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:324
#3  0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590, 
    with_blit=with_blit@...ry=true, proto=proto@...ry=0x0)
    at jb2/jb2load.cpp:37
#4  0x00007ffff7bd05bb in mdjvu_file_load_jb2 (file=file@...ry=0x607050, 
    length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
    at jb2/jb2load.cpp:91
#5  0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050, 
    perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6  0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
    path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7  0x0000000000402e12 in load_image (
    path=0x7fffffffe314 "/home/a/Documents/file.djvu")
    at minidjvu.c:187
#8  0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
---Type <return> to continue, or q <return> to quit---
    at minidjvu.c:333
#9  main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble 
Dump of assembler code for function mdjvu_bitmap_pack_row:
   0x00007ffff7bc32e0 <+0>:mov    0x8(%rdi),%r9d
   0x00007ffff7bc32e4 <+4>:mov    (%rdi),%rax
   0x00007ffff7bc32e7 <+7>:movslq %edx,%rdx
   0x00007ffff7bc32ea <+10>:mov    (%rax,%rdx,8),%r8
   0x00007ffff7bc32ee <+14>:xor    %edx,%edx
   0x00007ffff7bc32f0 <+16>:mov    $0x80,%eax
   0x00007ffff7bc32f5 <+21>:add    %rsi,%r9
   0x00007ffff7bc32f8 <+24>:nopl   0x0(%rax,%rax,1)
   0x00007ffff7bc3300 <+32>:cmp    %r9,%rsi
   0x00007ffff7bc3303 <+35>:je     0x7ffff7bc332b <mdjvu_bitmap_pack_row+75>
   0x00007ffff7bc3305 <+37>:mov    %edx,%ecx
   0x00007ffff7bc3307 <+39>:add    $0x1,%rsi
   0x00007ffff7bc330b <+43>:or     %eax,%ecx
=> 0x00007ffff7bc330d <+45>:cmpb   $0x0,-0x1(%rsi)
   0x00007ffff7bc3311 <+49>:cmovne %ecx,%edx
   0x00007ffff7bc3314 <+52>:sar    %eax
   0x00007ffff7bc3316 <+54>:jne    0x7ffff7bc3300 <mdjvu_bitmap_pack_row+32>
   0x00007ffff7bc3318 <+56>:mov    %dl,(%r8)
   0x00007ffff7bc331b <+59>:add    $0x1,%r8
   0x00007ffff7bc331f <+63>:xor    %edx,%edx
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bc3321 <+65>:cmp    %r9,%rsi
   0x00007ffff7bc3324 <+68>:mov    $0x80,%eax
   0x00007ffff7bc3329 <+73>:jne    0x7ffff7bc3305 <mdjvu_bitmap_pack_row+37>
   0x00007ffff7bc332b <+75>:testb  $0x7,0x8(%rdi)
   0x00007ffff7bc332f <+79>:je     0x7ffff7bc3334 <mdjvu_bitmap_pack_row+84>
   0x00007ffff7bc3331 <+81>:mov    %dl,(%r8)
   0x00007ffff7bc3334 <+84>:repz retq 
End of assembler dump.
(gdb) i r
rax            0x80128
rbx            0x6171606386016
rcx            0x80128
rdx            0x00
rsi            0x6270016451201
rdi            0x6170c06385856
rbp            0x00x0
rsp            0x7fffffffcd180x7fffffffcd18
r8             0x618f606393696
r9             0x1006171184301353240
r10            0x00
r11            0x00
r12            0x6171406385984
r13            0x6170c06385856
r14            0x00
r15            0x6171406385984
rip            0x7ffff7bc330d0x7ffff7bc330d <mdjvu_bitmap_pack_row+45>
eflags         0x10202[ IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb) x/20x 0x627001
0x627001:Cannot access memory at address 0x627001
(gdb)


POC:
minidjvu_0.8_invalid_memory_read_3.djvu
CVE:
CVE-2017-12443


4.
the mdjvu_bitmap_get_bounding_box function in base/4bitmap.c in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.


./minidjvu minidjvu_0.8_invalid_memory_read_4.djvu out.tiff


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc36a1 in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x624940, 
    pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac, 
    pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
    at base/4bitmap.c:300
300    int32 bottom = BMP->height - 1;
(gdb) bt
#0  0x00007ffff7bc36a1 in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x624940, 
    pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac, 
    pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
    at base/4bitmap.c:300
#1  0x00007ffff7bc3800 in mdjvu_bitmap_remove_margins (b=0x624940, 
    px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:321
#2  0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590, 
    with_blit=with_blit@...ry=true, proto=<optimized out>)
    at jb2/jb2load.cpp:37
#3  0x00007ffff7bd0542 in mdjvu_file_load_jb2 (file=file@...ry=0x607050, 
    length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
    at jb2/jb2load.cpp:114
#4  0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050, 
    perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#5  0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
    path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#6  0x0000000000402e12 in load_image (
    path=0x7fffffffe314 "/home/a/Documents/file.djvu")
    at minidjvu.c:187
#7  0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
    at minidjvu.c:333
#8  main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble 
Dump of assembler code for function mdjvu_bitmap_get_bounding_box:
   0x00007ffff7bc3650 <+0>:push   %r15
   0x00007ffff7bc3652 <+2>:mov    $0x1,%r15d
   0x00007ffff7bc3658 <+8>:push   %r14
   0x00007ffff7bc365a <+10>:mov    %rdi,%r14
   0x00007ffff7bc365d <+13>:mov    %rcx,%rdi
   0x00007ffff7bc3660 <+16>:push   %r13
   0x00007ffff7bc3662 <+18>:push   %r12
   0x00007ffff7bc3664 <+20>:push   %rbp
   0x00007ffff7bc3665 <+21>:push   %rbx
   0x00007ffff7bc3666 <+22>:sub    $0x18,%rsp
   0x00007ffff7bc366a <+26>:mov    0x8(%r14),%r12d
   0x00007ffff7bc366e <+30>:mov    0xc(%r14),%ebp
   0x00007ffff7bc3672 <+34>:mov    %rdx,0x8(%rsp)
   0x00007ffff7bc3677 <+39>:mov    %r8,0x10(%rsp)
   0x00007ffff7bc367c <+44>:lea    0x7(%r12),%eax
   0x00007ffff7bc3681 <+49>:lea    -0x1(%rbp),%r9d
   0x00007ffff7bc3685 <+53>:lea    -0x1(%r12),%edx
   0x00007ffff7bc368a <+58>:neg    %r12d
   0x00007ffff7bc368d <+61>:mov    %eax,0x4(%rsp)
   0x00007ffff7bc3691 <+65>:mov    (%r14),%rax
   0x00007ffff7bc3694 <+68>:mov    %r9d,%ebx
   0x00007ffff7bc3697 <+71>:sarl   $0x3,0x4(%rsp)
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bc369c <+76>:movslq 0x4(%rsp),%r11
=> 0x00007ffff7bc36a1 <+81>:mov    (%rax),%r13
   0x00007ffff7bc36a4 <+84>:nopl   0x0(%rax)
   0x00007ffff7bc36a8 <+88>:mov    %edx,%r8d
   0x00007ffff7bc36ab <+91>:mov    %r12d,%ecx
   0x00007ffff7bc36ae <+94>:mov    %r15d,%eax
   0x00007ffff7bc36b1 <+97>:sar    $0x3,%r8d
   0x00007ffff7bc36b5 <+101>:and    $0x7,%ecx
   0x00007ffff7bc36b8 <+104>:movslq %r8d,%r8
   0x00007ffff7bc36bb <+107>:shl    %cl,%eax
   0x00007ffff7bc36bd <+109>:add    %r13,%r8
   0x00007ffff7bc36c0 <+112>:test   %ebp,%ebp
   0x00007ffff7bc36c2 <+114>:mov    %eax,%ecx
   0x00007ffff7bc36c4 <+116>:je     0x7ffff7bc36ec <mdjvu_bitmap_get_bounding_box+156>
   0x00007ffff7bc36c6 <+118>:movzbl (%r8),%eax
   0x00007ffff7bc36ca <+122>:test   %ecx,%eax
   0x00007ffff7bc36cc <+124>:jne    0x7ffff7bc3700 <mdjvu_bitmap_get_bounding_box+176>
   0x00007ffff7bc36ce <+126>:add    %r11,%r8
   0x00007ffff7bc36d1 <+129>:xor    %eax,%eax
   0x00007ffff7bc36d3 <+131>:jmp    0x7ffff7bc36e7 <mdjvu_bitmap_get_bounding_box+151>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x00
rbx            0xfffffffc4294967292
rcx            0x7fffffffcd78140737488342392
rdx            0x11
rsi            0x7fffffffcda8140737488342440
rdi            0x7fffffffcd78140737488342392
rbp            0xfffffffd0xfffffffd
rsp            0x7fffffffcd200x7fffffffcd20
r8             0x7fffffffcd7c140737488342396
r9             0xfffffffc4294967292
r10            0xffffffff4294967295
r11            0x11
r12            0xfffffffe4294967294
r13            0x11
r14            0x6249406441280
r15            0x11
rip            0x7ffff7bc36a10x7ffff7bc36a1 <mdjvu_bitmap_get_bounding_box+81>
eflags         0x10202[ IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
---Type <return> to continue, or q <return> to quit---
fs             0x00
gs             0x00
(gdb) 


POC:
minidjvu_0.8_invalid_memory_read_4.djvu
CVE:
CVE-2017-12444


5.
the JB2BitmapCoder::code_row_by_refinement function in jb2/bmpcoder.cpp in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.


./minidjvu minidjvu_0.8_invalid_memory_read_5.djvu out.tiff


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bcc2ac in JB2BitmapCoder::code_row_by_refinement (
    this=this@...ry=0x7fffffffce10, n=n@...ry=-9, up1=0x626f57 "\001", 
    up1@...ry=0x612100 "", target=<optimized out>, target@...ry=0x612120 "", 
    p_up=0x626fdf "", p_up@...ry=0x612188 "", p_sm=0x626fff "", 
    p_sm@...ry=0x6121a8 "", p_dn=0x626fbf "", p_dn@...ry=0x612168 "", 
    erosion=0x626f97 "", erosion@...ry=0x612140 "") at jb2/bmpcoder.cpp:111
111        if (p_sm[1]) context |= 0x80;  // H
(gdb) bt
#0  0x00007ffff7bcc2ac in JB2BitmapCoder::code_row_by_refinement (
    this=this@...ry=0x7fffffffce10, n=n@...ry=-9, up1=0x626f57 "\001", 
    up1@...ry=0x612100 "", target=<optimized out>, target@...ry=0x612120 "", 
    p_up=0x626fdf "", p_up@...ry=0x612188 "", p_sm=0x626fff "", 
    p_sm@...ry=0x6121a8 "", p_dn=0x626fbf "", p_dn@...ry=0x612168 "", 
    erosion=0x626f97 "", erosion@...ry=0x612140 "") at jb2/bmpcoder.cpp:111
#1  0x00007ffff7bcc6d5 in JB2BitmapCoder::code_image_by_refinement (
    this=0x7fffffffce10, shape=0x611d30, prototype=0x611cf0, erosion_mask=0x0)
    at jb2/bmpcoder.cpp:229
#2  0x00007ffff7bcc8f7 in JB2BitmapDecoder::decode (
    this=this@...ry=0x7fffffffce10, img=img@...ry=0x611590, 
    proto=proto@...ry=0x611cf0) at jb2/bmpcoder.cpp:267
#3  0x00007ffff7bd00f1 in decode_lib_shape (jb2=..., img=img@...ry=0x611590, 
    with_blit=with_blit@...ry=true, proto=0x611cf0) at jb2/jb2load.cpp:30
#4  0x00007ffff7bd0542 in mdjvu_file_load_jb2 (file=file@...ry=0x607050, 
    length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
    at jb2/jb2load.cpp:114
#5  0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050, 
    perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6  0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
    path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7  0x0000000000402e12 in load_image (
---Type <return> to continue, or q <return> to quit---
    path=0x7fffffffe314 "/home/a/Documents/file.djvu")
    at minidjvu.c:187
#8  0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
    at minidjvu.c:333
#9  main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble 
Dump of assembler code for function JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*):
   0x00007ffff7bcc170 <+0>:push   %r15
   0x00007ffff7bcc172 <+2>:mov    %r8,%r15
   0x00007ffff7bcc175 <+5>:push   %r14
   0x00007ffff7bcc177 <+7>:push   %r13
   0x00007ffff7bcc179 <+9>:mov    %rdi,%r13
   0x00007ffff7bcc17c <+12>:push   %r12
   0x00007ffff7bcc17e <+14>:mov    %r9,%r12
   0x00007ffff7bcc181 <+17>:push   %rbp
   0x00007ffff7bcc182 <+18>:push   %rbx
   0x00007ffff7bcc183 <+19>:mov    %rdx,%rbx
   0x00007ffff7bcc186 <+22>:mov    %rcx,%rdx
   0x00007ffff7bcc189 <+25>:sub    $0x28,%rsp
   0x00007ffff7bcc18d <+29>:cmpb   $0x1,(%rbx)
   0x00007ffff7bcc190 <+32>:mov    0x60(%rsp),%rbp
   0x00007ffff7bcc195 <+37>:mov    0x68(%rsp),%r14
   0x00007ffff7bcc19a <+42>:sbb    %r10d,%r10d
   0x00007ffff7bcc19d <+45>:not    %r10d
   0x00007ffff7bcc1a0 <+48>:and    $0x2,%r10d
   0x00007ffff7bcc1a4 <+52>:mov    %r10d,%eax
   0x00007ffff7bcc1a7 <+55>:or     $0x4,%eax
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bcc1aa <+58>:cmpb   $0x0,0x1(%rbx)
   0x00007ffff7bcc1ae <+62>:cmovne %eax,%r10d
   0x00007ffff7bcc1b2 <+66>:mov    %r10d,%eax
   0x00007ffff7bcc1b5 <+69>:or     $0x10,%eax
   0x00007ffff7bcc1b8 <+72>:cmpb   $0x0,(%r8)
   0x00007ffff7bcc1bc <+76>:cmovne %eax,%r10d
   0x00007ffff7bcc1c0 <+80>:mov    %r10d,%eax
   0x00007ffff7bcc1c3 <+83>:or     $0x20,%eax
   0x00007ffff7bcc1c6 <+86>:cmpb   $0x0,-0x1(%r9)
   0x00007ffff7bcc1cb <+91>:cmovne %eax,%r10d
   0x00007ffff7bcc1cf <+95>:mov    %r10d,%eax
   0x00007ffff7bcc1d2 <+98>:or     $0x40,%eax
   0x00007ffff7bcc1d5 <+101>:cmpb   $0x0,(%r9)
   0x00007ffff7bcc1d9 <+105>:cmovne %eax,%r10d
   0x00007ffff7bcc1dd <+109>:mov    %r10d,%eax
   0x00007ffff7bcc1e0 <+112>:or     $0x80,%al
   0x00007ffff7bcc1e2 <+114>:cmpb   $0x0,0x1(%r9)
   0x00007ffff7bcc1e7 <+119>:cmovne %eax,%r10d
   0x00007ffff7bcc1eb <+123>:mov    %r10d,%eax
   0x00007ffff7bcc1ee <+126>:or     $0x1,%ah
   0x00007ffff7bcc1f1 <+129>:cmpb   $0x0,-0x1(%rbp)
   0x00007ffff7bcc1f5 <+133>:cmovne %eax,%r10d
   0x00007ffff7bcc1f9 <+137>:mov    %r10d,%eax
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bcc1fc <+140>:or     $0x2,%ah
   0x00007ffff7bcc1ff <+143>:cmpb   $0x0,0x0(%rbp)
   0x00007ffff7bcc203 <+147>:cmovne %eax,%r10d
   0x00007ffff7bcc207 <+151>:mov    %r10d,%eax
   0x00007ffff7bcc20a <+154>:or     $0x4,%ah
   0x00007ffff7bcc20d <+157>:cmpb   $0x0,0x1(%rbp)
   0x00007ffff7bcc211 <+161>:cmovne %eax,%r10d
   0x00007ffff7bcc215 <+165>:mov    %esi,%eax
   0x00007ffff7bcc217 <+167>:add    %rbx,%rax
   0x00007ffff7bcc21a <+170>:mov    %rax,0x18(%rsp)
   0x00007ffff7bcc21f <+175>:jmpq   0x7ffff7bcc2c4 <JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*)+340>
   0x00007ffff7bcc224 <+180>:nopl   0x0(%rax)
   0x00007ffff7bcc228 <+184>:lea    0x1(%rdx),%rax
   0x00007ffff7bcc22c <+188>:movzwl %r10w,%r10d
   0x00007ffff7bcc230 <+192>:add    $0x1,%r14
   0x00007ffff7bcc234 <+196>:movslq %r10d,%rsi
   0x00007ffff7bcc237 <+199>:movzbl -0x1(%r14),%ecx
   0x00007ffff7bcc23c <+204>:mov    %r10d,0x14(%rsp)
   0x00007ffff7bcc241 <+209>:mov    %rax,0x8(%rsp)
   0x00007ffff7bcc246 <+214>:mov    0x0(%r13),%rax
   0x00007ffff7bcc24a <+218>:mov    %r13,%rdi
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bcc24d <+221>:lea    0x408(%r13,%rsi,1),%rsi
   0x00007ffff7bcc255 <+229>:add    $0x1,%rbx
   0x00007ffff7bcc259 <+233>:add    $0x1,%r15
   0x00007ffff7bcc25d <+237>:add    $0x1,%r12
   0x00007ffff7bcc261 <+241>:add    $0x1,%rbp
   0x00007ffff7bcc265 <+245>:callq  *0x10(%rax)
   0x00007ffff7bcc268 <+248>:mov    0x14(%rsp),%r10d
   0x00007ffff7bcc26d <+253>:sar    %r10d
   0x00007ffff7bcc270 <+256>:and    $0x363,%r10w
   0x00007ffff7bcc276 <+262>:mov    %r10d,%edi
   0x00007ffff7bcc279 <+265>:or     $0x4,%edi
   0x00007ffff7bcc27c <+268>:cmpb   $0x0,0x1(%rbx)
   0x00007ffff7bcc280 <+272>:mov    %edi,%edx
   0x00007ffff7bcc282 <+274>:cmovne %edx,%r10d
   0x00007ffff7bcc286 <+278>:mov    %r10d,%ecx
   0x00007ffff7bcc289 <+281>:or     $0x8,%ecx
   0x00007ffff7bcc28c <+284>:test   %eax,%eax
   0x00007ffff7bcc28e <+286>:mov    %ecx,%edx
   0x00007ffff7bcc290 <+288>:cmovne %edx,%r10d
   0x00007ffff7bcc294 <+292>:mov    0x8(%rsp),%rdx
   0x00007ffff7bcc299 <+297>:mov    %r10d,%eax
   0x00007ffff7bcc29c <+300>:or     $0x10,%eax
   0x00007ffff7bcc29f <+303>:cmpb   $0x0,(%r15)
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bcc2a3 <+307>:cmovne %eax,%r10d
   0x00007ffff7bcc2a7 <+311>:mov    %r10d,%eax
   0x00007ffff7bcc2aa <+314>:or     $0x80,%al
=> 0x00007ffff7bcc2ac <+316>:cmpb   $0x0,0x1(%r12)
   0x00007ffff7bcc2b2 <+322>:cmovne %eax,%r10d
   0x00007ffff7bcc2b6 <+326>:mov    %r10d,%eax
   0x00007ffff7bcc2b9 <+329>:or     $0x4,%ah
   0x00007ffff7bcc2bc <+332>:cmpb   $0x0,0x1(%rbp)
   0x00007ffff7bcc2c0 <+336>:cmovne %eax,%r10d
   0x00007ffff7bcc2c4 <+340>:cmp    0x18(%rsp),%rbx
   0x00007ffff7bcc2c9 <+345>:jne    0x7ffff7bcc228 <JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*)+184>
   0x00007ffff7bcc2cf <+351>:add    $0x28,%rsp
   0x00007ffff7bcc2d3 <+355>:pop    %rbx
   0x00007ffff7bcc2d4 <+356>:pop    %rbp
   0x00007ffff7bcc2d5 <+357>:pop    %r12
   0x00007ffff7bcc2d7 <+359>:pop    %r13
   0x00007ffff7bcc2d9 <+361>:pop    %r14
   0x00007ffff7bcc2db <+363>:pop    %r15
   0x00007ffff7bcc2dd <+365>:retq   
End of assembler dump.
(gdb) i r
rax            0x8b139
rbx            0x626f576451031
rcx            0xb11
rdx            0x626f776451063
rsi            0x7fffffffd226140737488343590
rdi            0x77
rbp            0x626fbf0x626fbf
rsp            0x7fffffffcc400x7fffffffcc40
r8             0x7ffff7fd4780140737353959296
r9             0x6121a86365608
r10            0xb11
r11            0x7ffff7bcc170140737349730672
r12            0x626fff6451199
r13            0x7fffffffce10140737488342544
r14            0x626f976451095
r15            0x626fdf6451167
rip            0x7ffff7bcc2ac0x7ffff7bcc2ac <JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*)+316>
eflags         0x10286[ PF SF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
---Type <return> to continue, or q <return> to quit---
es             0x00
fs             0x00
gs             0x00
(gdb) x/20x 0x626fff
0x626fff:Cannot access memory at address 0x627000
(gdb) x/20x 0x626fff+1
0x627000:Cannot access memory at address 0x627000
(gdb)


POC:
minidjvu_0.8_invalid_memory_read_5.djvu
CVE:
CVE-2017-12445




===============================




qflb.wu () dbappsecurity com cn


[ CONTENT OF TYPE application/x-zip-compressed SKIPPED ]


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ