Bug 101427 - Off by one reading out of bounds in _jpeg_skip_segment
Summary: Off by one reading out of bounds in _jpeg_skip_segment
Alias: None
Product: cairo
Classification: Unclassified
Component: image backend (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
Depends on:
Reported: 2017-06-14 18:55 UTC by foca@salesforce.com
Modified: 2017-06-15 11:48 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description foca@salesforce.com 2017-06-14 18:55:38 UTC
There is an off by one vulnerability in cairo, reading the jpeg headers of an image surface.

The vulnerability is at cairo-image-info.c:76:

 70 static const unsigned char *
 71 _jpeg_skip_segment (const unsigned char *p)
 72 {
 73     int len;
 75     p++;
 76     len = (p[0] << 8) | p[1];
 78     return p + len;
 79 }

The off by one happens while reading the variable p[1].

This function is called from line cairo-image-info.c:143:

140             if (p + 2 > data + length)
141                 return CAIRO_INT_STATUS_UNSUPPORTED;
143             p = _jpeg_skip_segment (p);
144             break;
145         }

The check here should be >= instead of >:
140             if (p + 2 >= data + length)

Since in _jpeg_skip_segment 3 bytes are consumed (1 skipped and 2 read).

If an attacker could control p[1] then he could control how many bytes are skipped reading the jpeg segment. It doesn't look this vulnerability has security implications since the function _cairo_image_info_get_jpeg_info is validating that the pointer is inside the bounds.
Comment 1 foca@salesforce.com 2017-06-14 19:12:35 UTC
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.