[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2017 21:51:28 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] minidjvu multiple vulnerabilities
minidjvu multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
minidjvu is a command line utility which encodes and decodes single page black-and-white DjVu files, and can compress multiple pages, taking advantage from similarities between pages.
Affected version:
=====
0.8
Vulnerability Description:
==========================
1.
the row_is_empty function in base/4bitmap.c:274 in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.
./minidjvu minidjvu_0.8_invalid_memory_read_1.djvu out.tiff
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
row_is_empty (y=y@...ry=-1, bmp=0x6235d0, bmp=0x6235d0) at base/4bitmap.c:274
274 if (row[bytes_to_check] & mask) return 0;
(gdb) bt
#0 row_is_empty (y=y@...ry=-1, bmp=0x6235d0, bmp=0x6235d0)
at base/4bitmap.c:274
#1 0x00007ffff7bc378c in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x6235d0,
pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac,
pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
at base/4bitmap.c:309
#2 0x00007ffff7bc3800 in mdjvu_bitmap_remove_margins (b=0x6235d0,
px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:321
#3 0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590,
with_blit=with_blit@...ry=true, proto=<optimized out>)
at jb2/jb2load.cpp:37
#4 0x00007ffff7bd0542 in mdjvu_file_load_jb2 (file=file@...ry=0x607050,
length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
at jb2/jb2load.cpp:114
#5 0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050,
perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6 0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
path=path@...ry=0x7fffffffe315 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7 0x0000000000402e12 in load_image (
path=0x7fffffffe315 "/home/a/Documents/file.djvu")
at minidjvu.c:187
#8 0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
---Type <return> to continue, or q <return> to quit---
at minidjvu.c:333
#9 main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble
Dump of assembler code for function row_is_empty:
0x00007ffff7bc3090 <+0>:lea 0x7(%rsi),%ecx
0x00007ffff7bc3093 <+3>:movslq %edx,%rdx
0x00007ffff7bc3096 <+6>:mov (%rdi,%rdx,8),%rdi
0x00007ffff7bc309a <+10>:sar $0x3,%ecx
0x00007ffff7bc309d <+13>:sub $0x1,%ecx
0x00007ffff7bc30a0 <+16>:test %ecx,%ecx
0x00007ffff7bc30a2 <+18>:jle 0x7ffff7bc30c9 <row_is_empty+57>
0x00007ffff7bc30a4 <+20>:cmpb $0x0,(%rdi)
0x00007ffff7bc30a7 <+23>:jne 0x7ffff7bc30f0 <row_is_empty+96>
0x00007ffff7bc30a9 <+25>:lea 0x1(%rdi),%rdx
0x00007ffff7bc30ad <+29>:xor %eax,%eax
0x00007ffff7bc30af <+31>:jmp 0x7ffff7bc30c2 <row_is_empty+50>
0x00007ffff7bc30b1 <+33>:nopl 0x0(%rax)
0x00007ffff7bc30b8 <+40>:add $0x1,%rdx
0x00007ffff7bc30bc <+44>:cmpb $0x0,-0x1(%rdx)
0x00007ffff7bc30c0 <+48>:jne 0x7ffff7bc30f0 <row_is_empty+96>
0x00007ffff7bc30c2 <+50>:add $0x1,%eax
0x00007ffff7bc30c5 <+53>:cmp %ecx,%eax
0x00007ffff7bc30c7 <+55>:jne 0x7ffff7bc30b8 <row_is_empty+40>
0x00007ffff7bc30c9 <+57>:movslq %ecx,%rax
0x00007ffff7bc30cc <+60>:shl $0x3,%ecx
=> 0x00007ffff7bc30cf <+63>:movzbl (%rdi,%rax,1),%edx
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bc30d3 <+67>:sub %esi,%ecx
0x00007ffff7bc30d5 <+69>:mov $0xff,%eax
0x00007ffff7bc30da <+74>:add $0x8,%ecx
0x00007ffff7bc30dd <+77>:shl %cl,%eax
0x00007ffff7bc30df <+79>:test %eax,%edx
0x00007ffff7bc30e1 <+81>:sete %al
0x00007ffff7bc30e4 <+84>:movzbl %al,%eax
0x00007ffff7bc30e7 <+87>:retq
0x00007ffff7bc30e8 <+88>:nopl 0x0(%rax,%rax,1)
0x00007ffff7bc30f0 <+96>:xor %eax,%eax
0x00007ffff7bc30f2 <+98>:retq
End of assembler dump.
(gdb) i r
rax 0x00
rbx 0xffffffff4294967295
rcx 0x00
rdx 0xffffffffffffffff-1
rsi 0x11
rdi 0x2133
rbp 0x00x0
rsp 0x7fffffffcd180x7fffffffcd18
r8 0x00
r9 0xffffffff4294967295
r10 0xffffffff4294967295
r11 0x00
r12 0x6234206435872
r13 0x11
r14 0x6235d06436304
r15 0x11
rip 0x7ffff7bc30cf0x7ffff7bc30cf <row_is_empty+63>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---
gs 0x00
(gdb)
POC:
minidjvu_0.8_invalid_memory_read_1.djvu
CVE:
CVE-2017-12441
2.
the row_is_empty function in base/4bitmap.c:272 in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.
./minidjvu minidjvu_0.8_invalid_memory_read_2.djvu out.tiff
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
row_is_empty (y=y@...ry=-1, bmp=0x614050, bmp=0x614050) at base/4bitmap.c:272
272 if (row[i]) return 0;
(gdb) bt
#0 row_is_empty (y=y@...ry=-1, bmp=0x614050, bmp=0x614050)
at base/4bitmap.c:272
#1 0x00007ffff7bc378c in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x614050,
pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac,
pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
at base/4bitmap.c:309
#2 0x00007ffff7bc3800 in mdjvu_bitmap_remove_margins (b=0x614050,
px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:321
#3 0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590,
with_blit=with_blit@...ry=true, proto=proto@...ry=0x0)
at jb2/jb2load.cpp:37
#4 0x00007ffff7bd05bb in mdjvu_file_load_jb2 (file=file@...ry=0x607050,
length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
at jb2/jb2load.cpp:91
#5 0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050,
perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6 0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7 0x0000000000402e12 in load_image (
path=0x7fffffffe314 "/home/a/Documents/file.djvu")
at minidjvu.c:187
#8 0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
---Type <return> to continue, or q <return> to quit---
at minidjvu.c:333
#9 main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble
Dump of assembler code for function row_is_empty:
0x00007ffff7bc3090 <+0>:lea 0x7(%rsi),%ecx
0x00007ffff7bc3093 <+3>:movslq %edx,%rdx
0x00007ffff7bc3096 <+6>:mov (%rdi,%rdx,8),%rdi
0x00007ffff7bc309a <+10>:sar $0x3,%ecx
0x00007ffff7bc309d <+13>:sub $0x1,%ecx
0x00007ffff7bc30a0 <+16>:test %ecx,%ecx
0x00007ffff7bc30a2 <+18>:jle 0x7ffff7bc30c9 <row_is_empty+57>
=> 0x00007ffff7bc30a4 <+20>:cmpb $0x0,(%rdi)
0x00007ffff7bc30a7 <+23>:jne 0x7ffff7bc30f0 <row_is_empty+96>
0x00007ffff7bc30a9 <+25>:lea 0x1(%rdi),%rdx
0x00007ffff7bc30ad <+29>:xor %eax,%eax
0x00007ffff7bc30af <+31>:jmp 0x7ffff7bc30c2 <row_is_empty+50>
0x00007ffff7bc30b1 <+33>:nopl 0x0(%rax)
0x00007ffff7bc30b8 <+40>:add $0x1,%rdx
0x00007ffff7bc30bc <+44>:cmpb $0x0,-0x1(%rdx)
0x00007ffff7bc30c0 <+48>:jne 0x7ffff7bc30f0 <row_is_empty+96>
0x00007ffff7bc30c2 <+50>:add $0x1,%eax
0x00007ffff7bc30c5 <+53>:cmp %ecx,%eax
0x00007ffff7bc30c7 <+55>:jne 0x7ffff7bc30b8 <row_is_empty+40>
0x00007ffff7bc30c9 <+57>:movslq %ecx,%rax
0x00007ffff7bc30cc <+60>:shl $0x3,%ecx
0x00007ffff7bc30cf <+63>:movzbl (%rdi,%rax,1),%edx
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bc30d3 <+67>:sub %esi,%ecx
0x00007ffff7bc30d5 <+69>:mov $0xff,%eax
0x00007ffff7bc30da <+74>:add $0x8,%ecx
0x00007ffff7bc30dd <+77>:shl %cl,%eax
0x00007ffff7bc30df <+79>:test %eax,%edx
0x00007ffff7bc30e1 <+81>:sete %al
0x00007ffff7bc30e4 <+84>:movzbl %al,%eax
0x00007ffff7bc30e7 <+87>:retq
0x00007ffff7bc30e8 <+88>:nopl 0x0(%rax,%rax,1)
0x00007ffff7bc30f0 <+96>:xor %eax,%eax
0x00007ffff7bc30f2 <+98>:retq
End of assembler dump.
(gdb) i r
rax 0x80128
rbx 0xffffffff4294967295
rcx 0x22
rdx 0xffffffffffffffff-1
rsi 0x1420
rdi 0x2133
rbp 0x00x0
rsp 0x7fffffffcd180x7fffffffcd18
r8 0x00
r9 0xffffffff4294967295
r10 0xce206
r11 0x00
r12 0x6140706373488
r13 0x1420
r14 0x6140506373456
r15 0x33
rip 0x7ffff7bc30a40x7ffff7bc30a4 <row_is_empty+20>
eflags 0x10202[ IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---
gs 0x00
(gdb)
POC:
minidjvu_0.8_invalid_memory_read_2.djvu
CVE:
CVE-2017-12442
3.
the mdjvu_bitmap_pack_row function in base/4bitmap.c in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.
./minidjvu minidjvu_0.8_invalid_memory_read_3.djvu out.tiff
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc330d in mdjvu_bitmap_pack_row (b=b@...ry=0x6170c0,
bytes=0x627001 <error: Cannot access memory at address 0x627001>,
bytes@...ry=0x617140 "", y=y@...ry=0) at base/4bitmap.c:141
141 if (*bytes++) a |= coef;
(gdb) bt
#0 0x00007ffff7bc330d in mdjvu_bitmap_pack_row (b=b@...ry=0x6170c0,
bytes=0x627001 <error: Cannot access memory at address 0x627001>,
bytes@...ry=0x617140 "", y=y@...ry=0) at base/4bitmap.c:141
#1 0x00007ffff7bc3576 in mdjvu_bitmap_crop (b=b@...ry=0x617160,
left=<optimized out>, top=0, w=<optimized out>, h=<optimized out>)
at base/4bitmap.c:253
#2 0x00007ffff7bc3839 in mdjvu_bitmap_remove_margins (b=0x617160,
px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:324
#3 0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590,
with_blit=with_blit@...ry=true, proto=proto@...ry=0x0)
at jb2/jb2load.cpp:37
#4 0x00007ffff7bd05bb in mdjvu_file_load_jb2 (file=file@...ry=0x607050,
length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
at jb2/jb2load.cpp:91
#5 0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050,
perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6 0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7 0x0000000000402e12 in load_image (
path=0x7fffffffe314 "/home/a/Documents/file.djvu")
at minidjvu.c:187
#8 0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
---Type <return> to continue, or q <return> to quit---
at minidjvu.c:333
#9 main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble
Dump of assembler code for function mdjvu_bitmap_pack_row:
0x00007ffff7bc32e0 <+0>:mov 0x8(%rdi),%r9d
0x00007ffff7bc32e4 <+4>:mov (%rdi),%rax
0x00007ffff7bc32e7 <+7>:movslq %edx,%rdx
0x00007ffff7bc32ea <+10>:mov (%rax,%rdx,8),%r8
0x00007ffff7bc32ee <+14>:xor %edx,%edx
0x00007ffff7bc32f0 <+16>:mov $0x80,%eax
0x00007ffff7bc32f5 <+21>:add %rsi,%r9
0x00007ffff7bc32f8 <+24>:nopl 0x0(%rax,%rax,1)
0x00007ffff7bc3300 <+32>:cmp %r9,%rsi
0x00007ffff7bc3303 <+35>:je 0x7ffff7bc332b <mdjvu_bitmap_pack_row+75>
0x00007ffff7bc3305 <+37>:mov %edx,%ecx
0x00007ffff7bc3307 <+39>:add $0x1,%rsi
0x00007ffff7bc330b <+43>:or %eax,%ecx
=> 0x00007ffff7bc330d <+45>:cmpb $0x0,-0x1(%rsi)
0x00007ffff7bc3311 <+49>:cmovne %ecx,%edx
0x00007ffff7bc3314 <+52>:sar %eax
0x00007ffff7bc3316 <+54>:jne 0x7ffff7bc3300 <mdjvu_bitmap_pack_row+32>
0x00007ffff7bc3318 <+56>:mov %dl,(%r8)
0x00007ffff7bc331b <+59>:add $0x1,%r8
0x00007ffff7bc331f <+63>:xor %edx,%edx
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bc3321 <+65>:cmp %r9,%rsi
0x00007ffff7bc3324 <+68>:mov $0x80,%eax
0x00007ffff7bc3329 <+73>:jne 0x7ffff7bc3305 <mdjvu_bitmap_pack_row+37>
0x00007ffff7bc332b <+75>:testb $0x7,0x8(%rdi)
0x00007ffff7bc332f <+79>:je 0x7ffff7bc3334 <mdjvu_bitmap_pack_row+84>
0x00007ffff7bc3331 <+81>:mov %dl,(%r8)
0x00007ffff7bc3334 <+84>:repz retq
End of assembler dump.
(gdb) i r
rax 0x80128
rbx 0x6171606386016
rcx 0x80128
rdx 0x00
rsi 0x6270016451201
rdi 0x6170c06385856
rbp 0x00x0
rsp 0x7fffffffcd180x7fffffffcd18
r8 0x618f606393696
r9 0x1006171184301353240
r10 0x00
r11 0x00
r12 0x6171406385984
r13 0x6170c06385856
r14 0x00
r15 0x6171406385984
rip 0x7ffff7bc330d0x7ffff7bc330d <mdjvu_bitmap_pack_row+45>
eflags 0x10202[ IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---
gs 0x00
(gdb) x/20x 0x627001
0x627001:Cannot access memory at address 0x627001
(gdb)
POC:
minidjvu_0.8_invalid_memory_read_3.djvu
CVE:
CVE-2017-12443
4.
the mdjvu_bitmap_get_bounding_box function in base/4bitmap.c in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.
./minidjvu minidjvu_0.8_invalid_memory_read_4.djvu out.tiff
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc36a1 in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x624940,
pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac,
pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
at base/4bitmap.c:300
300 int32 bottom = BMP->height - 1;
(gdb) bt
#0 0x00007ffff7bc36a1 in mdjvu_bitmap_get_bounding_box (b=b@...ry=0x624940,
pl=pl@...ry=0x7fffffffcda8, pt=pt@...ry=0x7fffffffcdac,
pw=pw@...ry=0x7fffffffcd78, ph=ph@...ry=0x7fffffffcd7c)
at base/4bitmap.c:300
#1 0x00007ffff7bc3800 in mdjvu_bitmap_remove_margins (b=0x624940,
px=0x7fffffffcda8, py=0x7fffffffcdac) at base/4bitmap.c:321
#2 0x00007ffff7bd0143 in decode_lib_shape (jb2=..., img=img@...ry=0x611590,
with_blit=with_blit@...ry=true, proto=<optimized out>)
at jb2/jb2load.cpp:37
#3 0x00007ffff7bd0542 in mdjvu_file_load_jb2 (file=file@...ry=0x607050,
length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
at jb2/jb2load.cpp:114
#4 0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050,
perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#5 0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#6 0x0000000000402e12 in load_image (
path=0x7fffffffe314 "/home/a/Documents/file.djvu")
at minidjvu.c:187
#7 0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
at minidjvu.c:333
#8 main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble
Dump of assembler code for function mdjvu_bitmap_get_bounding_box:
0x00007ffff7bc3650 <+0>:push %r15
0x00007ffff7bc3652 <+2>:mov $0x1,%r15d
0x00007ffff7bc3658 <+8>:push %r14
0x00007ffff7bc365a <+10>:mov %rdi,%r14
0x00007ffff7bc365d <+13>:mov %rcx,%rdi
0x00007ffff7bc3660 <+16>:push %r13
0x00007ffff7bc3662 <+18>:push %r12
0x00007ffff7bc3664 <+20>:push %rbp
0x00007ffff7bc3665 <+21>:push %rbx
0x00007ffff7bc3666 <+22>:sub $0x18,%rsp
0x00007ffff7bc366a <+26>:mov 0x8(%r14),%r12d
0x00007ffff7bc366e <+30>:mov 0xc(%r14),%ebp
0x00007ffff7bc3672 <+34>:mov %rdx,0x8(%rsp)
0x00007ffff7bc3677 <+39>:mov %r8,0x10(%rsp)
0x00007ffff7bc367c <+44>:lea 0x7(%r12),%eax
0x00007ffff7bc3681 <+49>:lea -0x1(%rbp),%r9d
0x00007ffff7bc3685 <+53>:lea -0x1(%r12),%edx
0x00007ffff7bc368a <+58>:neg %r12d
0x00007ffff7bc368d <+61>:mov %eax,0x4(%rsp)
0x00007ffff7bc3691 <+65>:mov (%r14),%rax
0x00007ffff7bc3694 <+68>:mov %r9d,%ebx
0x00007ffff7bc3697 <+71>:sarl $0x3,0x4(%rsp)
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bc369c <+76>:movslq 0x4(%rsp),%r11
=> 0x00007ffff7bc36a1 <+81>:mov (%rax),%r13
0x00007ffff7bc36a4 <+84>:nopl 0x0(%rax)
0x00007ffff7bc36a8 <+88>:mov %edx,%r8d
0x00007ffff7bc36ab <+91>:mov %r12d,%ecx
0x00007ffff7bc36ae <+94>:mov %r15d,%eax
0x00007ffff7bc36b1 <+97>:sar $0x3,%r8d
0x00007ffff7bc36b5 <+101>:and $0x7,%ecx
0x00007ffff7bc36b8 <+104>:movslq %r8d,%r8
0x00007ffff7bc36bb <+107>:shl %cl,%eax
0x00007ffff7bc36bd <+109>:add %r13,%r8
0x00007ffff7bc36c0 <+112>:test %ebp,%ebp
0x00007ffff7bc36c2 <+114>:mov %eax,%ecx
0x00007ffff7bc36c4 <+116>:je 0x7ffff7bc36ec <mdjvu_bitmap_get_bounding_box+156>
0x00007ffff7bc36c6 <+118>:movzbl (%r8),%eax
0x00007ffff7bc36ca <+122>:test %ecx,%eax
0x00007ffff7bc36cc <+124>:jne 0x7ffff7bc3700 <mdjvu_bitmap_get_bounding_box+176>
0x00007ffff7bc36ce <+126>:add %r11,%r8
0x00007ffff7bc36d1 <+129>:xor %eax,%eax
0x00007ffff7bc36d3 <+131>:jmp 0x7ffff7bc36e7 <mdjvu_bitmap_get_bounding_box+151>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax 0x00
rbx 0xfffffffc4294967292
rcx 0x7fffffffcd78140737488342392
rdx 0x11
rsi 0x7fffffffcda8140737488342440
rdi 0x7fffffffcd78140737488342392
rbp 0xfffffffd0xfffffffd
rsp 0x7fffffffcd200x7fffffffcd20
r8 0x7fffffffcd7c140737488342396
r9 0xfffffffc4294967292
r10 0xffffffff4294967295
r11 0x11
r12 0xfffffffe4294967294
r13 0x11
r14 0x6249406441280
r15 0x11
rip 0x7ffff7bc36a10x7ffff7bc36a1 <mdjvu_bitmap_get_bounding_box+81>
eflags 0x10202[ IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
---Type <return> to continue, or q <return> to quit---
fs 0x00
gs 0x00
(gdb)
POC:
minidjvu_0.8_invalid_memory_read_4.djvu
CVE:
CVE-2017-12444
5.
the JB2BitmapCoder::code_row_by_refinement function in jb2/bmpcoder.cpp in minidjvu 0.8 can cause a denial of service(invalid memory read and application crash) via a crafted djvu file.
./minidjvu minidjvu_0.8_invalid_memory_read_5.djvu out.tiff
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bcc2ac in JB2BitmapCoder::code_row_by_refinement (
this=this@...ry=0x7fffffffce10, n=n@...ry=-9, up1=0x626f57 "\001",
up1@...ry=0x612100 "", target=<optimized out>, target@...ry=0x612120 "",
p_up=0x626fdf "", p_up@...ry=0x612188 "", p_sm=0x626fff "",
p_sm@...ry=0x6121a8 "", p_dn=0x626fbf "", p_dn@...ry=0x612168 "",
erosion=0x626f97 "", erosion@...ry=0x612140 "") at jb2/bmpcoder.cpp:111
111 if (p_sm[1]) context |= 0x80; // H
(gdb) bt
#0 0x00007ffff7bcc2ac in JB2BitmapCoder::code_row_by_refinement (
this=this@...ry=0x7fffffffce10, n=n@...ry=-9, up1=0x626f57 "\001",
up1@...ry=0x612100 "", target=<optimized out>, target@...ry=0x612120 "",
p_up=0x626fdf "", p_up@...ry=0x612188 "", p_sm=0x626fff "",
p_sm@...ry=0x6121a8 "", p_dn=0x626fbf "", p_dn@...ry=0x612168 "",
erosion=0x626f97 "", erosion@...ry=0x612140 "") at jb2/bmpcoder.cpp:111
#1 0x00007ffff7bcc6d5 in JB2BitmapCoder::code_image_by_refinement (
this=0x7fffffffce10, shape=0x611d30, prototype=0x611cf0, erosion_mask=0x0)
at jb2/bmpcoder.cpp:229
#2 0x00007ffff7bcc8f7 in JB2BitmapDecoder::decode (
this=this@...ry=0x7fffffffce10, img=img@...ry=0x611590,
proto=proto@...ry=0x611cf0) at jb2/bmpcoder.cpp:267
#3 0x00007ffff7bd00f1 in decode_lib_shape (jb2=..., img=img@...ry=0x611590,
with_blit=with_blit@...ry=true, proto=0x611cf0) at jb2/jb2load.cpp:30
#4 0x00007ffff7bd0542 in mdjvu_file_load_jb2 (file=file@...ry=0x607050,
length=<optimized out>, perr=perr@...ry=0x7fffffffde38)
at jb2/jb2load.cpp:114
#5 0x00007ffff7bcaf80 in mdjvu_file_load_djvu_page (file=file@...ry=0x607050,
perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:114
#6 0x00007ffff7bcafc4 in mdjvu_load_djvu_page (
path=path@...ry=0x7fffffffe314 "/home/a/Documents/file.djvu", perr=perr@...ry=0x7fffffffde38) at formats/djvuload.c:127
#7 0x0000000000402e12 in load_image (
---Type <return> to continue, or q <return> to quit---
path=0x7fffffffe314 "/home/a/Documents/file.djvu")
at minidjvu.c:187
#8 0x00000000004023c5 in decode (argc=<optimized out>, argv=0x7fffffffdf78)
at minidjvu.c:333
#9 main (argc=3, argv=0x7fffffffdf78) at minidjvu.c:713
(gdb) disassemble
Dump of assembler code for function JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*):
0x00007ffff7bcc170 <+0>:push %r15
0x00007ffff7bcc172 <+2>:mov %r8,%r15
0x00007ffff7bcc175 <+5>:push %r14
0x00007ffff7bcc177 <+7>:push %r13
0x00007ffff7bcc179 <+9>:mov %rdi,%r13
0x00007ffff7bcc17c <+12>:push %r12
0x00007ffff7bcc17e <+14>:mov %r9,%r12
0x00007ffff7bcc181 <+17>:push %rbp
0x00007ffff7bcc182 <+18>:push %rbx
0x00007ffff7bcc183 <+19>:mov %rdx,%rbx
0x00007ffff7bcc186 <+22>:mov %rcx,%rdx
0x00007ffff7bcc189 <+25>:sub $0x28,%rsp
0x00007ffff7bcc18d <+29>:cmpb $0x1,(%rbx)
0x00007ffff7bcc190 <+32>:mov 0x60(%rsp),%rbp
0x00007ffff7bcc195 <+37>:mov 0x68(%rsp),%r14
0x00007ffff7bcc19a <+42>:sbb %r10d,%r10d
0x00007ffff7bcc19d <+45>:not %r10d
0x00007ffff7bcc1a0 <+48>:and $0x2,%r10d
0x00007ffff7bcc1a4 <+52>:mov %r10d,%eax
0x00007ffff7bcc1a7 <+55>:or $0x4,%eax
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bcc1aa <+58>:cmpb $0x0,0x1(%rbx)
0x00007ffff7bcc1ae <+62>:cmovne %eax,%r10d
0x00007ffff7bcc1b2 <+66>:mov %r10d,%eax
0x00007ffff7bcc1b5 <+69>:or $0x10,%eax
0x00007ffff7bcc1b8 <+72>:cmpb $0x0,(%r8)
0x00007ffff7bcc1bc <+76>:cmovne %eax,%r10d
0x00007ffff7bcc1c0 <+80>:mov %r10d,%eax
0x00007ffff7bcc1c3 <+83>:or $0x20,%eax
0x00007ffff7bcc1c6 <+86>:cmpb $0x0,-0x1(%r9)
0x00007ffff7bcc1cb <+91>:cmovne %eax,%r10d
0x00007ffff7bcc1cf <+95>:mov %r10d,%eax
0x00007ffff7bcc1d2 <+98>:or $0x40,%eax
0x00007ffff7bcc1d5 <+101>:cmpb $0x0,(%r9)
0x00007ffff7bcc1d9 <+105>:cmovne %eax,%r10d
0x00007ffff7bcc1dd <+109>:mov %r10d,%eax
0x00007ffff7bcc1e0 <+112>:or $0x80,%al
0x00007ffff7bcc1e2 <+114>:cmpb $0x0,0x1(%r9)
0x00007ffff7bcc1e7 <+119>:cmovne %eax,%r10d
0x00007ffff7bcc1eb <+123>:mov %r10d,%eax
0x00007ffff7bcc1ee <+126>:or $0x1,%ah
0x00007ffff7bcc1f1 <+129>:cmpb $0x0,-0x1(%rbp)
0x00007ffff7bcc1f5 <+133>:cmovne %eax,%r10d
0x00007ffff7bcc1f9 <+137>:mov %r10d,%eax
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bcc1fc <+140>:or $0x2,%ah
0x00007ffff7bcc1ff <+143>:cmpb $0x0,0x0(%rbp)
0x00007ffff7bcc203 <+147>:cmovne %eax,%r10d
0x00007ffff7bcc207 <+151>:mov %r10d,%eax
0x00007ffff7bcc20a <+154>:or $0x4,%ah
0x00007ffff7bcc20d <+157>:cmpb $0x0,0x1(%rbp)
0x00007ffff7bcc211 <+161>:cmovne %eax,%r10d
0x00007ffff7bcc215 <+165>:mov %esi,%eax
0x00007ffff7bcc217 <+167>:add %rbx,%rax
0x00007ffff7bcc21a <+170>:mov %rax,0x18(%rsp)
0x00007ffff7bcc21f <+175>:jmpq 0x7ffff7bcc2c4 <JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*)+340>
0x00007ffff7bcc224 <+180>:nopl 0x0(%rax)
0x00007ffff7bcc228 <+184>:lea 0x1(%rdx),%rax
0x00007ffff7bcc22c <+188>:movzwl %r10w,%r10d
0x00007ffff7bcc230 <+192>:add $0x1,%r14
0x00007ffff7bcc234 <+196>:movslq %r10d,%rsi
0x00007ffff7bcc237 <+199>:movzbl -0x1(%r14),%ecx
0x00007ffff7bcc23c <+204>:mov %r10d,0x14(%rsp)
0x00007ffff7bcc241 <+209>:mov %rax,0x8(%rsp)
0x00007ffff7bcc246 <+214>:mov 0x0(%r13),%rax
0x00007ffff7bcc24a <+218>:mov %r13,%rdi
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bcc24d <+221>:lea 0x408(%r13,%rsi,1),%rsi
0x00007ffff7bcc255 <+229>:add $0x1,%rbx
0x00007ffff7bcc259 <+233>:add $0x1,%r15
0x00007ffff7bcc25d <+237>:add $0x1,%r12
0x00007ffff7bcc261 <+241>:add $0x1,%rbp
0x00007ffff7bcc265 <+245>:callq *0x10(%rax)
0x00007ffff7bcc268 <+248>:mov 0x14(%rsp),%r10d
0x00007ffff7bcc26d <+253>:sar %r10d
0x00007ffff7bcc270 <+256>:and $0x363,%r10w
0x00007ffff7bcc276 <+262>:mov %r10d,%edi
0x00007ffff7bcc279 <+265>:or $0x4,%edi
0x00007ffff7bcc27c <+268>:cmpb $0x0,0x1(%rbx)
0x00007ffff7bcc280 <+272>:mov %edi,%edx
0x00007ffff7bcc282 <+274>:cmovne %edx,%r10d
0x00007ffff7bcc286 <+278>:mov %r10d,%ecx
0x00007ffff7bcc289 <+281>:or $0x8,%ecx
0x00007ffff7bcc28c <+284>:test %eax,%eax
0x00007ffff7bcc28e <+286>:mov %ecx,%edx
0x00007ffff7bcc290 <+288>:cmovne %edx,%r10d
0x00007ffff7bcc294 <+292>:mov 0x8(%rsp),%rdx
0x00007ffff7bcc299 <+297>:mov %r10d,%eax
0x00007ffff7bcc29c <+300>:or $0x10,%eax
0x00007ffff7bcc29f <+303>:cmpb $0x0,(%r15)
---Type <return> to continue, or q <return> to quit---
0x00007ffff7bcc2a3 <+307>:cmovne %eax,%r10d
0x00007ffff7bcc2a7 <+311>:mov %r10d,%eax
0x00007ffff7bcc2aa <+314>:or $0x80,%al
=> 0x00007ffff7bcc2ac <+316>:cmpb $0x0,0x1(%r12)
0x00007ffff7bcc2b2 <+322>:cmovne %eax,%r10d
0x00007ffff7bcc2b6 <+326>:mov %r10d,%eax
0x00007ffff7bcc2b9 <+329>:or $0x4,%ah
0x00007ffff7bcc2bc <+332>:cmpb $0x0,0x1(%rbp)
0x00007ffff7bcc2c0 <+336>:cmovne %eax,%r10d
0x00007ffff7bcc2c4 <+340>:cmp 0x18(%rsp),%rbx
0x00007ffff7bcc2c9 <+345>:jne 0x7ffff7bcc228 <JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*)+184>
0x00007ffff7bcc2cf <+351>:add $0x28,%rsp
0x00007ffff7bcc2d3 <+355>:pop %rbx
0x00007ffff7bcc2d4 <+356>:pop %rbp
0x00007ffff7bcc2d5 <+357>:pop %r12
0x00007ffff7bcc2d7 <+359>:pop %r13
0x00007ffff7bcc2d9 <+361>:pop %r14
0x00007ffff7bcc2db <+363>:pop %r15
0x00007ffff7bcc2dd <+365>:retq
End of assembler dump.
(gdb) i r
rax 0x8b139
rbx 0x626f576451031
rcx 0xb11
rdx 0x626f776451063
rsi 0x7fffffffd226140737488343590
rdi 0x77
rbp 0x626fbf0x626fbf
rsp 0x7fffffffcc400x7fffffffcc40
r8 0x7ffff7fd4780140737353959296
r9 0x6121a86365608
r10 0xb11
r11 0x7ffff7bcc170140737349730672
r12 0x626fff6451199
r13 0x7fffffffce10140737488342544
r14 0x626f976451095
r15 0x626fdf6451167
rip 0x7ffff7bcc2ac0x7ffff7bcc2ac <JB2BitmapCoder::code_row_by_refinement(int, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*, unsigned char*)+316>
eflags 0x10286[ PF SF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
---Type <return> to continue, or q <return> to quit---
es 0x00
fs 0x00
gs 0x00
(gdb) x/20x 0x626fff
0x626fff:Cannot access memory at address 0x627000
(gdb) x/20x 0x626fff+1
0x627000:Cannot access memory at address 0x627000
(gdb)
POC:
minidjvu_0.8_invalid_memory_read_5.djvu
CVE:
CVE-2017-12445
===============================
qflb.wu () dbappsecurity com cn
Download attachment "poc.zip" of type "application/x-zip-compressed" (23627 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists