FPII-2461 : Remote code execution vulnerability in libjpeg CVE-2016-6702 A-30259087
High
A remote code execution vulnerability in libjpeg could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses libjpeg.
Additional technical details:
A-30259087
A specially crafted JPEG file can be used to call jpeg_open_backing_store with a size larger than 2^32 leading to an integer overflow in ashmem, which could lead to the possibility of remote code execution.
The fix is designed to stop using ashmem to back up data arrays when the maximum memory usage value is reached.
Change-Id: Ia0782aca9fdfd178521f59bc3f1de6f649283ae4
diff --git a/Android.mk b/Android.mk
index b5905d1..aef244e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,21 +11,11 @@
jdinput.c jdmainct.c jdmarker.c jdmaster.c jdmerge.c jdphuff.c \
jdpostct.c jdsample.c jdtrans.c jerror.c jfdctflt.c jfdctfst.c \
jfdctint.c jidctflt.c jidctfst.c jidctint.c jidctred.c jquant1.c \
- jquant2.c jutils.c jmemmgr.c armv6_idct.S
+ jquant2.c jutils.c jmemmgr.c jmemnobs.c armv6_idct.S
-ifeq (,$(TARGET_BUILD_APPS))
-# building against master
-# use ashmem as libjpeg decoder's backing store
-LOCAL_CFLAGS += -DUSE_ANDROID_ASHMEM
-LOCAL_SRC_FILES += \
- jmem-ashmem.c
-else
-# unbundled branch, built against NDK.
-LOCAL_SDK_VERSION := 17
-# the original android memory manager.
-# use sdcard as libjpeg decoder's backing store
-LOCAL_SRC_FILES += \
- jmem-android.c
+ifneq (,$(TARGET_BUILD_APPS))
+ # unbundled branch, built against NDK.
+ LOCAL_SDK_VERSION := 17
endif
LOCAL_CFLAGS += -DAVOID_TABLES
diff --git a/jmem-android.c b/jmem-android.c
deleted file mode 100644
index 5da4d0a..0000000
--- a/jmem-android.c
+++ /dev/null
@@ -1,186 +0,0 @@
-/*
- * Copyright (C) 2007-2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define JPEG_INTERNALS
-#include "jinclude.h"
-#include "jpeglib.h"
-#include "jmemsys.h" /* import the system-dependent declarations */
-
-#ifndef HAVE_STDLIB_H /* <stdlib.h> should declare malloc(),free() */
-extern void * malloc JPP((size_t size));
-extern void free JPP((void *ptr));
-#endif
-
-#ifndef SEEK_SET /* pre-ANSI systems may not define this; */
-#define SEEK_SET 0 /* if not, assume 0 is correct */
-#endif
-
-
-/*
- * Memory allocation and freeing are controlled by the regular library
- * routines malloc() and free().
- */
-
-GLOBAL(void *)
-jpeg_get_small (j_common_ptr cinfo, size_t sizeofobject)
-{
- return (void *) malloc(sizeofobject);
-}
-
-GLOBAL(void)
-jpeg_free_small (j_common_ptr cinfo, void * object, size_t sizeofobject)
-{
- free(object);
-}
-
-
-/*
- * "Large" objects are treated the same as "small" ones.
- * NB: although we include FAR keywords in the routine declarations,
- * this file won't actually work in 80x86 small/medium model; at least,
- * you probably won't be able to process useful-size images in only 64KB.
- */
-
-GLOBAL(void FAR *)
-jpeg_get_large (j_common_ptr cinfo, size_t sizeofobject)
-{
- return (void FAR *) malloc(sizeofobject);
-}
-
-GLOBAL(void)
-jpeg_free_large (j_common_ptr cinfo, void FAR * object, size_t sizeofobject)
-{
- free(object);
-}
-
-
-/*
- * This routine computes the total memory space available for allocation.
- * It's impossible to do this in a portable way; our current solution is
- * to make the user tell us (with a default value set at compile time).
- * If you can actually get the available space, it's a good idea to subtract
- * a slop factor of 5% or so.
- */
-
-#ifndef DEFAULT_MAX_MEM /* so can override from makefile */
-#define DEFAULT_MAX_MEM 10000000L /* default: ten megabyte */
-#endif
-
-GLOBAL(long)
-jpeg_mem_available (j_common_ptr cinfo, long min_bytes_needed,
- long max_bytes_needed, long already_allocated)
-{
- return cinfo->mem->max_memory_to_use - already_allocated;
-}
-
-
-/*
- * Backing store (temporary file) management.
- * Backing store objects are only used when the value returned by
- * jpeg_mem_available is less than the total space needed. You can dispense
- * with these routines if you have plenty of virtual memory; see jmemnobs.c.
- */
-
-
-METHODDEF(void)
-read_backing_store (j_common_ptr cinfo, backing_store_ptr info,
- void FAR * buffer_address,
- long file_offset, long byte_count)
-{
- if (fseek(info->temp_file, file_offset, SEEK_SET))
- ERREXIT(cinfo, JERR_TFILE_SEEK);
- if (JFREAD(info->temp_file, buffer_address, byte_count)
- != (size_t) byte_count)
- ERREXIT(cinfo, JERR_TFILE_READ);
-}
-
-
-METHODDEF(void)
-write_backing_store (j_common_ptr cinfo, backing_store_ptr info,
- void FAR * buffer_address,
- long file_offset, long byte_count)
-{
- if (fseek(info->temp_file, file_offset, SEEK_SET))
- ERREXIT(cinfo, JERR_TFILE_SEEK);
- if (JFWRITE(info->temp_file, buffer_address, byte_count)
- != (size_t) byte_count)
- ERREXIT(cinfo, JERR_TFILE_WRITE);
-}
-
-
-METHODDEF(void)
-close_backing_store (j_common_ptr cinfo, backing_store_ptr info)
-{
- fclose(info->temp_file);
- /* Since this implementation uses tmpfile() to create the file,
- * no explicit file deletion is needed.
- */
-}
-
-static FILE* getTempFileFromPath(const char * path) {
- FILE * fd = fopen(path, "w+");
- unlink(path);
- return fd;
-}
-
-static FILE* getTempFile() {
- char path[1024];
- snprintf(path, 1023, "/sdcard/.%d.tmp", getpid());
- FILE * fd = getTempFileFromPath(path);
- if (fd == NULL) {
- // anywhere else we can create a temp file?
- // snprintf(path, 1023, "/data/data/.%d.tmp", getpid());
- // fd = getTempFileFromPath(path);
- }
- return fd;
-}
-
-/*
- * Initial opening of a backing-store object.
- *
- * This version uses tmpfile(), which constructs a suitable file name
- * behind the scenes. We don't have to use info->temp_name[] at all;
- * indeed, we can't even find out the actual name of the temp file.
- */
-
-GLOBAL(void)
-jpeg_open_backing_store (j_common_ptr cinfo, backing_store_ptr info,
- long total_bytes_needed)
-{
- if ((info->temp_file = getTempFile()) == NULL)
- ERREXITS(cinfo, JERR_TFILE_CREATE, "");
- info->read_backing_store = read_backing_store;
- info->write_backing_store = write_backing_store;
- info->close_backing_store = close_backing_store;
-}
-
-
-/*
- * These routines take care of any system-dependent initialization and
- * cleanup required.
- */
-
-GLOBAL(long)
-jpeg_mem_init (j_common_ptr cinfo)
-{
- return DEFAULT_MAX_MEM; /* default for max_memory_to_use */
-}
-
-GLOBAL(void)
-jpeg_mem_term (j_common_ptr cinfo)
-{
- /* no work */
-}
diff --git a/jmem-ashmem.c b/jmem-ashmem.c
deleted file mode 100644
index 0c35715..0000000
--- a/jmem-ashmem.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (C) 2007-2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define JPEG_INTERNALS
-#include "jinclude.h"
-#include "jpeglib.h"
-#include "jmemsys.h" /* import the system-dependent declarations */
-
-#include <cutils/ashmem.h>
-#include <unistd.h>
-#include <sys/mman.h>
-
-#ifndef HAVE_STDLIB_H /* <stdlib.h> should declare malloc(),free() */
-extern void * malloc JPP((size_t size));
-extern void free JPP((void *ptr));
-#endif
-
-/*
- * Memory allocation and freeing are controlled by the regular library
- * routines malloc() and free().
- */
-
-GLOBAL(void *)
-jpeg_get_small (j_common_ptr cinfo, size_t sizeofobject)
-{
- return (void *) malloc(sizeofobject);
-}
-
-GLOBAL(void)
-jpeg_free_small (j_common_ptr cinfo, void * object, size_t sizeofobject)
-{
- free(object);
-}
-
-
-/*
- * "Large" objects are treated the same as "small" ones.
- * NB: although we include FAR keywords in the routine declarations,
- * this file won't actually work in 80x86 small/medium model; at least,
- * you probably won't be able to process useful-size images in only 64KB.
- */
-
-GLOBAL(void FAR *)
-jpeg_get_large (j_common_ptr cinfo, size_t sizeofobject)
-{
- return (void FAR *) malloc(sizeofobject);
-}
-
-GLOBAL(void)
-jpeg_free_large (j_common_ptr cinfo, void FAR * object, size_t sizeofobject)
-{
- free(object);
-}
-
-/*
- * This routine computes the total memory space available for allocation.
- * It's impossible to do this in a portable way; our current solution is
- * to make the user tell us (with a default value set at compile time).
- * If you can actually get the available space, it's a good idea to subtract
- * a slop factor of 5% or so.
- */
-
-#ifndef DEFAULT_MAX_MEM /* so can override from makefile */
-#define DEFAULT_MAX_MEM 10000000L /* default: ten megabyte */
-#endif
-
-GLOBAL(long)
-jpeg_mem_available (j_common_ptr cinfo, long min_bytes_needed,
- long max_bytes_needed, long already_allocated)
-{
- return cinfo->mem->max_memory_to_use - already_allocated;
-}
-
-
-/*
- * Backing store (temporary file) management.
- * Backing store objects are only used when the value returned by
- * jpeg_mem_available is less than the total space needed. You can dispense
- * with these routines if you have plenty of virtual memory; see jmemnobs.c.
- */
-
-METHODDEF(void)
-read_backing_store (j_common_ptr cinfo, backing_store_ptr info,
- void FAR * buffer_address,
- long file_offset, long byte_count)
-{
- memmove(buffer_address, info->addr + file_offset, byte_count);
-}
-
-
-METHODDEF(void)
-write_backing_store (j_common_ptr cinfo, backing_store_ptr info,
- void FAR * buffer_address,
- long file_offset, long byte_count)
-{
- memmove(info->addr + file_offset, buffer_address, byte_count);
-}
-
-
-METHODDEF(void)
-close_backing_store (j_common_ptr cinfo, backing_store_ptr info)
-{
- munmap(info->addr, info->size);
- close(info->temp_file);
-}
-
-LOCAL(int)
-get_ashmem(backing_store_ptr info, long total_bytes_needed)
-{
- char path[1024];
- // FIXME: Does this name need to be unique? What happens if two jpegs
- // are being decoded simultaneously in the same process?
- snprintf(path, 1023, "%d.tmp.ashmem", getpid());
- int fd = ashmem_create_region(path, total_bytes_needed);
- if (fd == -1) {
- return -1;
- }
- int err = ashmem_set_prot_region(fd, PROT_READ | PROT_WRITE);
- if (err) {
- close(fd);
- return -1;
- }
- void* addr = mmap(NULL, total_bytes_needed, PROT_READ | PROT_WRITE,
- MAP_PRIVATE, fd, 0);
- if (-1 == (long) addr) {
- close(fd);
- return -1;
- }
- info->addr = addr;
- info->size = total_bytes_needed;
- info->temp_file = fd;
- return fd;
-}
-
-/*
- * Initial opening of a backing-store object.
- * This version uses ashmem to get a shared memory of total-bytes_needed.
- */
-
-GLOBAL(void)
-jpeg_open_backing_store (j_common_ptr cinfo, backing_store_ptr info,
- long total_bytes_needed)
-{
- if (get_ashmem(info, total_bytes_needed) == -1)
- ERREXITS(cinfo, JERR_TFILE_CREATE, "");
- info->read_backing_store = read_backing_store;
- info->write_backing_store = write_backing_store;
- info->close_backing_store = close_backing_store;
-}
-
-/*
- * These routines take care of any system-dependent initialization and
- * cleanup required.
- */
-
-GLOBAL(long)
-jpeg_mem_init (j_common_ptr cinfo)
-{
- return DEFAULT_MAX_MEM; /* default for max_memory_to_use */
-}
-
-GLOBAL(void)
-jpeg_mem_term (j_common_ptr cinfo)
-{
- /* no work */
-}