lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GzwJA5-L6id1RwuXjYB4D9_1g-uMRY7uE+S=D4J3kwyCQ@mail.gmail.com>
Date: Sat, 6 Sep 2025 03:32:57 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in
	Arithmetic Encoding

The DjVuLibre document compression library (tested version 3.5.29) contains
multiple instances of unsigned integer overflow in the ZPCodec.cpp
component. During arithmetic encoding operations (e.g., zemit, encode_lps,
encode_lps_simple, eflush), crafted input can cause arithmetic wraparound
(0-1, 1-2, or value+UINT_MAX). These operations rely on precise probability
modeling for entropy encoding, and wraparound corrupts encoder state. An
attacker can supply malicious input to c44 that triggers underflow, leading
to incorrect buffer writes, memory corruption, or crashes.


*Impact:*

   - Crash confirmed with UBSan.
   - Potential for corrupted encoded output, incorrect memory access, or
   exploitable memory corruption.
   - High risk in systems processing untrusted PPM/DjVu input.


*Proof of Concept:*

convert -size 1000x1000 gradient: overflow.ppm

ASAN_OPTIONS=detect_leaks=0,abort_on_error=1 \

UBSAN_OPTIONS=print_stacktrace=1 \

./tools/c44 overflow.ppm out.djvu


*Sanitizer Output:*

ZPCodec.cpp:1030:18: runtime error: unsigned integer overflow: 0 - 1 cannot
be represented in type 'unsigned int'

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ZPCodec.cpp:1030:18
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ