commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rody Kersten (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (IMAGING-203) JPEG segment size not validated
Date Wed, 16 Aug 2017 17:02:01 GMT

    [ https://issues.apache.org/jira/browse/IMAGING-203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16129078#comment-16129078
] 

Rody Kersten commented on IMAGING-203:
--------------------------------------

Thank you [~kinow], also for including Kelinci in your list of fuzzers! It's an interface
to run AFL on Java programs. As you're probably aware, AFL has been very successful at finding
security vulnerabilities in C programs (and binaries). Hopefully with Kelinci we can harness
some of that power for Java.

> JPEG segment size not validated
> -------------------------------
>
>                 Key: IMAGING-203
>                 URL: https://issues.apache.org/jira/browse/IMAGING-203
>             Project: Commons Imaging
>          Issue Type: Bug
>          Components: Format: JPEG
>            Reporter: Rody Kersten
>            Assignee: Bruno P. Kinoshita
>         Attachments: NegSegmentSize.JPG, NegSegmentSize.patch
>
>
> Using my AFL-based fuzzer for Java, Kelinci (https://github.com/isstac/kelinci) I found
that a NegativeArraySizeException may be throw when attempting to read an invalid JPEG image.
> Each JPEG segment starts with a two-byte unsigned integer specifying the segment size.
Segments are parsed by org.apache.commons.imaging.formats.jpeg.JpegUtils.traverseJFIF(). As
the specified size includes these two bytes, the method subtracts 2 from the size before it
is used. It then attempts to allocate a buffer for the segment, which fails if the specified
size is 0 or 1. The method should throw an ImageReadException instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message