
Full Disclosure mailing list archives
DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in Arithmetic Encoding
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 6 Sep 2025 03:32:57 -0400
The DjVuLibre document compression library (tested version 3.5.29) contains multiple instances of unsigned integer overflow in the ZPCodec.cpp component. During arithmetic encoding operations (e.g., zemit, encode_lps, encode_lps_simple, eflush), crafted input can cause arithmetic wraparound (0-1, 1-2, or value+UINT_MAX). These operations rely on precise probability modeling for entropy encoding, and wraparound corrupts encoder state. An attacker can supply malicious input to c44 that triggers underflow, leading to incorrect buffer writes, memory corruption, or crashes. *Impact:* - Crash confirmed with UBSan. - Potential for corrupted encoded output, incorrect memory access, or exploitable memory corruption. - High risk in systems processing untrusted PPM/DjVu input. *Proof of Concept:* convert -size 1000x1000 gradient: overflow.ppm ASAN_OPTIONS=detect_leaks=0,abort_on_error=1 \ UBSAN_OPTIONS=print_stacktrace=1 \ ./tools/c44 overflow.ppm out.djvu *Sanitizer Output:* ZPCodec.cpp:1030:18: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ZPCodec.cpp:1030:18 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in Arithmetic Encoding Ron E (Sep 08)