-
DRC authoredjpeg_skip_scanlines() (more specifically, read_and_discard_scanlines()) should check whether merged upsampling is disabled before attempting to dereference cinfo->cconvert, and it should check whether color quantization is enabled before attempting to dereference cinfo->cquantize. Otherwise, executing one of the following sequences with the same libjpeg API instance and any 4:2:0 or 4:2:2 JPEG image will cause a use-after-free issue: - Disable merged upsampling (default) - jpeg_start_decompress() - jpeg_finish_decompress() (frees but doesn't zero cinfo->cconvert) - Enable merged upsampling - jpeg_start_decompress() (doesn't re-allocate cinfo->cconvert, because j*init_color_deconverter() isn't called) - jpeg_skip_scanlines() - Enable 1-pass color quantization - jpeg_start_decompress() - jpeg_finish_decompress() (frees but doesn't zero cinfo->cquantize) - Disable 1-pass color quantization - jpeg_start_decompress() (doesn't re-allocate cinfo->cquantize, because j*init_*_quantizer() isn't called) - jpeg_skip_scanlines() These sequences are very unlikely to occur in a real-world application. In practice, this issue does not even cause a segfault or other user-visible errant behavior, so it is only detectable with ASan. That is because the memory region is small enough that it doesn't get reclaimed by either the application or the O/S between the point at which it is freed and the point at which it is used (even though a subsequent malloc() call requests exactly the same amount of memory.) Thus, this is an undefined behavior issue, but it is unlikely to be exploitable.
f158143eDRC authoredjpeg_skip_scanlines() (more specifically, read_and_discard_scanlines()) should check whether merged upsampling is disabled before attempting to dereference cinfo->cconvert, and it should check whether color quantization is enabled before attempting to dereference cinfo->cquantize. Otherwise, executing one of the following sequences with the same libjpeg API instance and any 4:2:0 or 4:2:2 JPEG image will cause a use-after-free issue: - Disable merged upsampling (default) - jpeg_start_decompress() - jpeg_finish_decompress() (frees but doesn't zero cinfo->cconvert) - Enable merged upsampling - jpeg_start_decompress() (doesn't re-allocate cinfo->cconvert, because j*init_color_deconverter() isn't called) - jpeg_skip_scanlines() - Enable 1-pass color quantization - jpeg_start_decompress() - jpeg_finish_decompress() (frees but doesn't zero cinfo->cquantize) - Disable 1-pass color quantization - jpeg_start_decompress() (doesn't re-allocate cinfo->cquantize, because j*init_*_quantizer() isn't called) - jpeg_skip_scanlines() These sequences are very unlikely to occur in a real-world application. In practice, this issue does not even cause a segfault or other user-visible errant behavior, so it is only detectable with ASan. That is because the memory region is small enough that it doesn't get reclaimed by either the application or the O/S between the point at which it is freed and the point at which it is used (even though a subsequent malloc() call requests exactly the same amount of memory.) Thus, this is an undefined behavior issue, but it is unlikely to be exploitable.
To find the state of this project's repository at the time of any of these versions, check out the tags.
Loading