CVE-2021-39520

Vulnerability

A NULL pointer dereference vulnerability exists in libjpeg through commit 2020021 (latest master e52406). The bug resides in the function BlockBitmapRequester::PushReconstructedData() in blockbitmaprequester.cpp:1182 [1]. When processing a malformed JPEG stream with specific command-line options (-oz -h -s 1x1,2x2,2x2 @@), a null pointer is dereferenced, causing a segmentation fault [1].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted JPEG file that causes the decoder to enter an out‑of‑sync state, as indicated by the warning "expecting a marker or marker segment - stream is out of sync" [1]. The attack requires the victim to run the jpeg tool on the crafted file with the flags -oz -h -s 1x1,2x2,2x2 @@ (or a similar invocation that reaches the affected code path) [1]. No authentication or network access is needed; local execution of the tool on the malicious file is sufficient.

Impact

Successful exploitation leads to a denial of service via application crash. The crash results from a segmentation fault due to dereferencing a NULL pointer [1]. The impact is limited to availability; no evidence of code execution or information disclosure is provided in the available references.

Mitigation

As of the publication date (2021‑09‑20), no official patch or fixed version has been released by the maintainers. The issue is tracked in the project’s issue tracker [1]. Users should avoid processing untrusted JPEG files with the affected command‑line options until a fix is available.