Security Audit of libjpeg-turbo

X41 performed a source code audit of libjpeg-turbo, an accelerated JPEG library, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the development team addressed the issues identified.

Full report of the security audit:
https://www.x41-dsec.de/static/reports/X41-OSTIF-libjpegturbo-Audit-20230712-Public.pdf

Audit Results

A total of two vulnerabilities were discovered during the audit by X41, all of which through fuzz testing. Both vulnerabilities were rated as low. One additional informational issue was identified as well.

The identified low severity issues are an out-of-bound write in the tj3Transform() JPEG transformation component and an out-of-bounds dead in 2:1 upsampling code. The former occurs if the buffer passed to the function is pre-allocated by the user and the function is instructed to not resize it. The buffer size is overwritten with a maximum computed value using tj3JPEGBufSize():

    if (this->noRealloc) {
      alloc = FALSE; dstSizes[i] = tj3JPEGBufSize(w, h, this->subsamp);
    }

If the image is, e.g., rotated by 90 or 270 degrees, width and height are to be swapped and tj3JPEGBufSize() returns different results for transposed images.

The other low severity issue is an out-of-bounds read in 2:1 upsampling code, which can potentially cause information leakage.

For dynamic testing, the team developed several fuzz testing harnesses. Fuzz testing is, in general, essential for the overall security of the libjpeg-turbo project, especially since it is implemented in C, which is often prone to memory corruption vulnerabilities. For the purpose of this test, code coverage driven fuzz testing using AFL++ in combination with address space sanitizers (such as ASAN) was performed. It is highly recommended to incorporate the developed harnesses into the libjpeg-turbo project and to maintain the high standards and ensure that fuzzing remains an integral and fixed part of libjpeg-turbo, either using AFL++ or libFuzzer, resulting in better testing coverage.

Due to the limited funding for the libjpeg-turbo project we were not able to work as closely with the maintainers as we usually do. You can help improve their situation by donating. More details in the release notes can be found here:
https://groups.google.com/g/libjpeg-turbo-announce/c/YZ2wRgB0zIE/m/UOjrm9quBQAJ
Direct link to their GitHub Sponsors page:
https://github.com/sponsors/libjpeg-turbo

The OSTIF’s announcement can be found at:
https://ostif.org/our-audit-of-libjpeg-turbo-is-complete/

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!