[cairo-bugs] [Bug 101427] New: Off by one reading out of bound in _jpeg_skip_segment

Wed Jun 14 18:55:38 UTC 2017

https://bugs.freedesktop.org/show_bug.cgi?id=101427

            Bug ID: 101427
           Summary: Off by one reading out of bound in _jpeg_skip_segment
           Product: cairo
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: image backend
          Assignee: chris at chris-wilson.co.uk
          Reporter: foca at salesforce.com
        QA Contact: cairo-bugs at cairographics.org

There is an off by one vulnerability in cairo, reading the jpeg headers of an
image surface.

The vulnerability is at cairo-image-info.c:76:

 70 static const unsigned char *
 71 _jpeg_skip_segment (const unsigned char *p)
 72 {
 73     int len;
 74 
 75     p++;
 76     len = (p[0] << 8) | p[1];
 77 
 78     return p + len;
 79 }

The off by one happens while reading the variable p[1].

This function is called from line cairo-image-info.c:143:

139 
140             if (p + 2 > data + length)
141                 return CAIRO_INT_STATUS_UNSUPPORTED;
142 
143             p = _jpeg_skip_segment (p);
144             break;
145         }

The check here should be >= instead of >:
140             if (p + 2 >= data + length)

Since in _jpeg_skip_segment 3 bytes are consumed (1 skipped and 2 read).

If an attacker could control p[1] then he could control how many bytes are
skipped reading the jpeg segment. It doesn't look this vulnerability has
security implications since the function _cairo_image_info_get_jpeg_info is
validating that the pointer is inside the bounds.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170614/fbe689fb/attachment.html>