https://bugs.winehq.org/show_bug.cgi?id=56590

Bug ID: 56590 Summary: Buffer Overflow in jpeg_decoder_initialize Product: Wine Version: 9.7 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: windowscodecs Assignee: wine-bugs@winehq.org Reporter: franco@blackwinghq.com Distribution: ---

The vulnerable jpeg_decoder_initialize function in file libjpeg.c (https://github.com/wine-mirror/wine/blob/master/dlls/windowscodecs/libjpeg.c...) is used to decompress jpegs and create a raw bitmap version of the image.

In jpeg_decoder_initialize, the values for cinfo.output_width and cinfo.output_height are retrieved directly from a jpeg file's header.

cinfo.output_width and cinfo.output_height can be manipulated by editing the header of the jpeg file being processed. They are two bytes each in the image's header so their values can range from 0x0000 to 0xFFFF. These variables are multiplied with frame.bpp.

When these three values are multiplied together they can exceed the limit of a 32-bit unsigned integer, leading to an integer overflow vulnerability. This product is used to set the size of the image_data buffer, which will store the decompressed jpeg (https://github.com/wine-mirror/wine/blob/master/dlls/windowscodecs/libjpeg.c...). When the sizing arguments overflow, the buffer becomes too small to store the decompressed data.

The program writes the decompressed image to the buffer using the jpeg_read_scanlines function. The function ends up writing to out-of-bounds memory due to the buffer’s small size (https://github.com/wine-mirror/wine/blob/master/dlls/windowscodecs/libjpeg.c...). This causes data in memory adjacent to the buffer to be overwritten.

An attacker is in control of the image's height, width, and contents. This allows an attacker to craft an exploit to overwrite data in memory with data they control.