CVE-2018-13030
Description
A stack-based buffer overflow in stb_image.c's build_huffman function in jpeg-compressor v0.1 allows denial of service via crafted JPEG files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in stb_image.c's build_huffman function in jpeg-compressor v0.1 allows denial of service via crafted JPEG files.
Vulnerability
A global buffer overflow vulnerability exists in the build_huffman function within stb_image.c of jpeg-compressor version 0.1. The flaw occurs when a specially crafted JPEG image is processed, leading to a read of size 4 from a global buffer beyond its allocated bounds. The issue is triggered at line 1120 in extend_receive and cascades through decode_block and parse_entropy_coded_data. The affected versions include jpeg-compressor v0.1 [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious JPEG file to the encoder binary. The proof-of-concept crash file is named crash_global_buffer_overflow. When executed with the command ./encoder ./crash_global_buffer_overflow 1.jpeg 50, the program crashes due to the global buffer overflow. No authentication or special network access is required; the attack vector is local file processing [1].
Impact
Successful exploitation results in a denial of service (application crash). The AddressSanitizer report confirms a global-buffer-overflow with a READ of size 4. While the description mentions possibly other unspecified impact, the reference only confirms the crash. The attacker gains no additional privileges or data access beyond causing the program to terminate abnormally [1].
Mitigation
As of the publication date (2018-06-30), no official fix or patched version has been released for jpeg-compressor v0.1. Users should avoid processing untrusted JPEG files with this library until a patch is made available. The project appears to be unmaintained, so alternative JPEG decoding libraries should be considered [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20.1+ 1 more
- (no CPE)range: 0.1
- (no CPE)range: =0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A stack-based buffer overflow occurs in the build_huffman function due to improper handling of input data."
Attack vector
A remote attacker can trigger this vulnerability by providing a crafted JPEG file to the jpeg-compressor application. The application then processes this file, leading to the buffer overflow in the build_huffman function. This can result in a denial of service through an application crash or potentially other unspecified impacts [ref_id=1].
Affected code
The vulnerability is located in the build_huffman function within the file stb_image.c. The crash occurs at line 1005:23 during the execution of build_huffman, which is called indirectly by stbi_load [ref_id=1].
What the fix does
The provided bundle does not contain information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. The vulnerability lies within the build_huffman function in stb_image.c [ref_id=1].
Preconditions
- inputA specially crafted JPEG file must be provided as input to the application.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fouzhe/security/tree/master/jpeg-compressormitrex_refsource_MISC
- github.com/kornelski/jpeg-compressor/issues/12mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.