CVE-2021-39517

Vulnerability

In libjpeg through commit e52406 (2020021), a NULL pointer dereference exists in the function BlockBitmapRequester::ReconstructUnsampled() located in blockbitmaprequester.cpp. The vulnerability can be triggered when processing malformed JPEG data that causes invalid markers (e.g., missing SOS and EOI markers) as reported in the issue tracker [1]. Affected versions include the master branch up to and including commit e52406.

Exploitation

An attacker can exploit this issue by supplying a specially crafted JPEG file to the libjpeg command-line tool (e.g., ./jpeg -oz -h -s 1x1,2x2,2x2 @@ /dev/null). The tool, when processing the malformed stream, hits a code path where a pointer is dereferenced without a proper NULL check, leading to a segmentation fault as shown by AddressSanitizer [1]. No special privileges are required; the attacker only needs to deliver the malicious file to the victim system.

Impact

Successful exploitation results in a denial of service (DoS) due to the segmentation fault, crashing the application. The crash is caused by dereferencing a NULL pointer at address 0x000000000000, indicating immediate termination of the process [1].

Mitigation

The issue was reported in the public issue tracker [1] but as of the publication date (2021-09-20), no patched version or official fix has been released. Users should consider using alternative JPEG libraries or applying a manual fix by adding a NULL pointer check in BlockBitmapRequester::ReconstructUnsampled() before dereferencing. The software may be at end of life; verify with the vendor for updates.