Josh Aas Reporter
	Description • 8 years ago

When a jpeg file does not provide enough data, the buffer is filled with zero bits (function jpeg_fill_bit_buffer() in jdhuff.c). A probable goal of this behavior is to make the display of incomplete/corrupted images possible. An attacker can exploit this to cause a memory exhaustion on the system. This leads to a OOM kill4 of the application responsible for opening the malicious image. It is possible to create a 102-byte file expandable to 760884499 bytes of data. (Note that a use of higher dimensions has even led to 12GB result, though the file was ignored by relevant applications). By including the image several times in a website, it was possible to get Firefox closed by the Linux OOM killer. Similarly, the Xorg-Server5 was killed during the tests. All in all, this case leads to any window application being closed, thus signifying a possibility of data loss with regard to unsaved data.

The following perl script generates a file with the dimensions of 0x4040 * 0x3c3c pixels. No image data is provided, which makes it possible to cause a high memory usage without providing much data.

[Will attach perl script]

The decoder throws a JWRN_HIT_MARKER warning (Corrupt JPEG data: premature end of data segment) but continues decoding the file. It uses zero bits leading to a high memory exhaustion, which generally depends on the given dimensions.

Test1: Display the image several times on a web page:

for($i=0; $i<40; $i++)
{
    echo '<img width="100px" height="100px" src="oom.jpg?'.$i.'">;
}

Test2: Keep refreshing the page with only a few images:

<html>
    <head>
    </head>
    <body>
        <script>
            setInterval(function(){  location.reload();  }, 200);
        </script>
        <img src="oom.jpg">
        <img src="oom.jpg">
        <img src="oom.jpg">
    </body>
</html>

This issue was reproduced on an up-to-date ArchLinux6, running on both a Laptop with 8GB memory, and a PC with 32GB memory. Further tests succeeded to verify the vulnerability on Ubuntu 14.04, Android/Chrome and ios/Safari. Exploitation (i.e. crashing the browser) was found to be more difficult with swap space enabled.
Its is recommended to treat the JWRN_HIT_MARKER warning as an error and abort the decompression in case that too much data is missing in relation to the image dimensions specified.

	DRC
	Comment 1 • 8 years ago

NOTE:  The bug description above is largely cribbed from a recent security audit report by Cure53.  I asked Josh to post it as a Mozilla bug in order to get input from other developers, since I don't quite know how to solve it upstream without breaking backward compatibility with the libjpeg API.  The bug affects Firefox (see below.)

LJT-01-004:  Pathological JPEG causes decoder to use huge amounts of memory (affects libjpeg and all derivatives thereof)

Much the same could be said about this issue as was said about LJT-01-003 (https://bugzilla.mozilla.org/show_bug.cgi?id=1252196).  It's again a case in which the default behavior of the underlying libjpeg API is to ignore warnings rather than treat them as errors.  On the surface, this issue seems to be specific to libjpeg-turbo, whereas 1252196 can be readily reproduced with libjpeg.  However, this is only because, in libjpeg-turbo 1.4.x, the Huffman decoder began using the default Huffman tables if a particular JPEG file didn't include such tables (this was to allow motion-JPEG frames to be decompressed.)  Thus, when attempting to decode the JPEG file that the Cure53 Perl script generates, libjpeg produces the following error:

  Huffman table 0x00 was not defined

However, it is straightforward to generate a similar bogus JPEG image that contains Huffman tables (see test004.c attached), and this new image will readily cause the same OOM issue to occur in libjpeg.

I have no idea how to fix this.  As with 1252196, fixing this issue would probably require changes to the underlying algorithms, because changing the default libjpeg API behavior such that it treats warnings as errors would create a backward incompatibility.

To elaborate on why making warnings fatal by default isn't a very palatable solution:

libjpeg has traditionally (and by "traditionally", I mean since the early 90's) handled warnings by calling emit_message() in the error handler but continuing to process the image.  Lots of programs (particularly image viewers and such) rely on this behavior, because it allows them to decode as much of a corrupt image as possible.  However, as pointed out by the Cure53 report, it also opens a couple of exploits (this one and 1252196.)  Changing the default behavior would effectively change the behavior of the libjpeg API, because it would cause that API to call back the error_exit() function in the error handler when a warning is encountered, instead of the emit_message() function.

Any program is already free to make warnings fatal, simply by implementing its own error handler and causing any call to emit_message() to trigger the same application behavior as error_exit().  However, most programs don't do that.  Most programs either use the "stock" error handler (jpeg_std_error()) or write their own that doesn't treat warnings as fatal, so most programs will be affected by this issue.  Thus, it would be very desirable to craft a fix that works around the issue in such a way that

(a) The default behavior of the libjpeg API is unchanged (thus, applications won't suddenly discover that error_exit() is being called when it previously wasn't.)

(b) All applications receive the fix, regardless of whether they are using a custom error handler or the default one.

	DRC
	Comment 3 • 8 years ago

NOTE: The symptoms of this issue manifest in Firefox as follows:

Take the image generated by test004 (oom.jpg) and open it in Firefox using the appropriate file:/// URL.  On my machine, this causes the browser's memory usage to increase by about 1 GB, so it is pretty easy to generate a web page with multiple copies of the image and make the browser consume all available memory, as described in Josh's comment above.  However, in this case, closing the tab does restore things to normal.  The main danger here is that, if the ballooning memory usage causes the filesystem cache to thrash, the O/S could become unusable until the user force-quits all running applications, which may cause them to lose their work.  As the Cure53 report points out, this is mostly a danger under Un*x, as OS X and Windows generally do a better job of recovering from memory exhaustion.

	Josh Aas Reporter
	Comment 4 • 8 years ago

I'm not sure we can have our cake and eat it as well here, though I'm obviously not intimately familiar with the implementation details of libjpeg-turbo.

It seems to me that if we want to fix the insecure behavior for as many folks as possible we'd need libjpeg-turbo to break backwards compat and treat warnings as errors. If we end up feeling that breaking backwards compat is necessary then calling error_exit() in the default handler obviously won't fix things for people with custom handlers, but I'm not sure how we could fix things for them without essentially ignoring the handlers (I just don't know enough about the handler impl, maybe DRC knows a way).

Is there a way to limit the breakage by only doing error_exit() for certain more dangerous types of errors?

The only other alternative I can think of is to use the API extension mechanism to introduce a flag toggling behavior for the default handler. You could do it either way - break backwards compat and let people restore it easily with the flag, or leave backwards compat and let people get the secure behavior by setting the flag.

	DRC
	Comment 5 • 8 years ago

(In reply to Josh Aas from comment #4)
> It seems to me that if we want to fix the insecure behavior for as many
> folks as possible we'd need libjpeg-turbo to break backwards compat and
> treat warnings as errors. If we end up feeling that breaking backwards
> compat is necessary then calling error_exit() in the default handler
> obviously won't fix things for people with custom handlers, but I'm not sure
> how we could fix things for them without essentially ignoring the handlers
> (I just don't know enough about the handler impl, maybe DRC knows a way).

I'm hoping that maybe there's a way to fix this algorithmically so that the codec detects this specific situation and trips an error, but I may be dreaming.  I don't know whether there may be some specified limit to the number of scans in a progressive Huffman or arithmetic file, but the file generated by test003.c has about 800,000 scans.  That definitely seems excessive.  :)

Also, the last sentence in the Cure53 description says:  "if error tolerance is desired here, skip the decoding of bogus scans that do not supply additional information."  That seems like a winning idea, but I'm not sure how to do it.

> Is there a way to limit the breakage by only doing error_exit() for certain
> more dangerous types of errors?

These are the warnings that are generated (many many times) with this particular bug:

If using progressive Huffman:
jdhuff.c:380 -- Corrupt JPEG data: premature end of data segment (JWRN_HIT_MARKER)
(appears always)
jdphuff.c:143 -- Inconsistent progression sequence for component 0 coefficient 0 (JWRN_BOGUS_PROGRESSION)
(appears only if using either the first or second sos[] value in test003.c)
jdphuff.c:147 -- Inconsistent progression sequence for component 0 coefficient 1 (JWRN_BOGUS_PROGRESSION)
(appears only if using either the first or third sos[] value in test003.c)

If using arithmetic:
jdarith.c:663 -- Inconsistent progression sequence for component 0 coefficient 0 (JWRN_BOGUS_PROGRESSION)
(appears if using the first or second sos[] value in test003.c)
jdarith.c:667 -- Inconsistent progression sequence for component 0 coefficient 1 (JWRN_BOGUS_PROGRESSION)
(appears if using the first or third sos[] value in test003.c)

Note that if using the fourth value of sos[], along with arithmetic coding, *no* warning appears (ugh.)  That may not matter for Mozilla, since you guys aren't using arithmetic decoding, but from the point of view of fixing this in libjpeg-turbo, it seems that we can't always rely on warnings to tell us that this bug is occurring.  Yet another reason why an algorithmic solution is desirable.

Also, treating the JWRN_HIT_MARKER warning at 380:jdhuff.c as an error would really defeat the purpose of fault tolerance-- that is, it's probably going to be that warning that is encountered most often when an image viewer tries to decode a corrupt JPEG, and it wants to display as much of the image as possible.

> The only other alternative I can think of is to use the API extension
> mechanism to introduce a flag toggling behavior for the default handler. You
> could do it either way - break backwards compat and let people restore it
> easily with the flag, or leave backwards compat and let people get the
> secure behavior by setting the flag.

We might have to resort to that.  If we did, then it would mean that applications wouldn't automatically inherit the fix, but maybe that's OK, because it seems like this is mainly going to be a concern for browsers and such.  Standalone image viewers/editors/converters will probably want to keep the existing behavior, so they can decode as much of the corrupt JPEG as possible, and if someone tries to run this pathological 800,000-scan JPEG through ImageMagick, they'll wait 30 seconds and CTRL-C it, so no harm done.

If we modified the behavior of the default emit_message() function, that should catch *most* applications.  Even if an application uses its own error manager, it's very rare for it to override emit_message(), and if it does, then it will be its responsibility to decide whether to treat warnings as errors or not.

For this specific bug, it would even be possible to set a warning limit-- even something as high as 100-- after which warnings would be treated with errors.  However, that wouldn't fix the other bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1252196 AKA LJT-01-004), because that other bug only causes one warning to be triggered (JWRN_HIT_MARKER at 380:jdhuff.c.)

	DRC
	Comment 6 • 8 years ago

(NOTE: I just noticed that I got my bugs mixed up.  I was mostly talking about LJT-01-003 in the above comment, which is the other bug-- https://bugzilla.mozilla.org/show_bug.cgi?id=1252196).  This bug is LJT_01-004.)