DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in Arithmetic Encoding

[Ron E <ronaldjedgerson () gmail com>]

The DjVuLibre document compression library (tested version 3.5.29) contains
multiple instances of unsigned integer overflow in the ZPCodec.cpp
component. During arithmetic encoding operations (e.g., zemit, encode_lps,
encode_lps_simple, eflush), crafted input can cause arithmetic wraparound
(0-1, 1-2, or value+UINT_MAX). These operations rely on precise probability
modeling for entropy encoding, and wraparound corrupts encoder state. An
attacker can supply malicious input to c44 that triggers underflow, leading
to incorrect buffer writes, memory corruption, or crashes.


*Impact:*

   - Crash confirmed with UBSan.
   - Potential for corrupted encoded output, incorrect memory access, or
   exploitable memory corruption.
   - High risk in systems processing untrusted PPM/DjVu input.


*Proof of Concept:*

convert -size 1000x1000 gradient: overflow.ppm

ASAN_OPTIONS=detect_leaks=0,abort_on_error=1 \

UBSAN_OPTIONS=print_stacktrace=1 \

./tools/c44 overflow.ppm out.djvu


*Sanitizer Output:*

ZPCodec.cpp:1030:18: runtime error: unsigned integer overflow: 0 - 1 cannot
be represented in type 'unsigned int'

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ZPCodec.cpp:1030:18
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/