CVE-2021-44956

Vulnerability

Two heap-based buffer overflow vulnerabilities exist in the jfif_decode function at ffjpeg/src/jfif.c lines 552:31 and 552:38 in ffjpeg through 01.01.2021 (commit 0fa4cf8a86). The issues occur when processing a crafted JPEG file, leading to out-of-bounds memory reads. This vulnerability is similar to CVE-2020-23852 [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted JPEG file to the ffjpeg decoder. No authentication or special privileges are required; the attack is remote if the user decodes the malicious file using the ffjpeg -d command. The proof-of-concept files decode_poc1 and decode_poc2 trigger the overflow by causing a read of size 4 at an address adjacent to a 1-byte heap buffer allocated in jfif_decode at line 443 [1].

Impact

Successful exploitation results in a heap-buffer-overflow, which typically leads to a denial of service (crash). The AddressSanitizer output confirms a READ of size 4 at an invalid memory location, causing the program to terminate. In a production environment, this could be used to disrupt service availability [1].

Mitigation

As of the publication date (2022-02-08), no fixed version has been released by the vendor. The maintainer of ffjpeg has not responded to the issue report on GitHub [1]. Users are advised to avoid decoding untrusted JPEG files with ffjpeg until a patch is made available. There is no known workaround.