Skip to content

Latest commit

 

History

History
71 lines (62 loc) · 5.73 KB

threat-modeling.md

File metadata and controls

71 lines (62 loc) · 5.73 KB

Threat Model Analysis for mozilla/mozjpeg

Threat: Integer Overflow in DCT Coefficient Handling

  • Description: An attacker crafts a malicious JPEG image with specially designed DCT (Discrete Cosine Transform) coefficients that, when processed by mozjpeg, cause an integer overflow within the quantization or dequantization routines. This could lead to unexpected behavior, potentially including buffer overflows. This is a direct consequence of how mozjpeg handles DCT coefficients.
    • Impact:
      • Denial of Service (DoS) due to application crashes.
      • Potential for arbitrary code execution (though less likely than DoS).
      • Possible corruption of the output image.
    • Affected mozjpeg Component:
      • djpeg (decompression) component.
      • cjpeg (compression) component.
      • DCT-related functions (e.g., jpeg_idct_islow, jpeg_fdct_islow, functions within jdcoefct.c, jccoefct.c).
      • Quantization-related functions (e.g., functions within jquant.c, jdquant.c).
    • Risk Severity: High (Potentially Critical if code execution is possible, but more likely High due to DoS).
    • Mitigation Strategies:
      • Update mozjpeg: Keep mozjpeg updated to the latest version.
      • Input Validation: Validate image dimensions and file size before processing. Reject excessively large images. This helps indirectly by limiting the scope of potential overflows.
      • Resource Limits: Enforce resource limits (CPU time, memory) on the mozjpeg process to mitigate DoS.
      • Sandboxing: Run mozjpeg in a sandboxed environment.

Threat: Buffer Overflow in Marker Parsing

  • Description: An attacker provides a JPEG image with a malformed marker segment (e.g., SOF, DHT, DQT) that exceeds the expected size or contains invalid data. This causes a buffer overflow when mozjpeg's internal marker parsing routines attempt to process it. This is a direct vulnerability in mozjpeg's parsing logic.
    • Impact:
      • Denial of Service (DoS) due to application crashes.
      • Potential for arbitrary code execution.
      • Possible information disclosure (leaking memory contents).
    • Affected mozjpeg Component:
      • djpeg (decompression) component, specifically marker parsing functions.
      • Functions related to reading and processing JPEG markers (e.g., functions within jdmarker.c, jcomapi.c).
    • Risk Severity: Critical (High probability of DoS, with a significant risk of code execution).
    • Mitigation Strategies:
      • Update mozjpeg: Prioritize updating to the latest version.
      • Input Validation: Implement basic checks on the JPEG header to detect obviously malformed markers (excessively large marker lengths). This is a sanity check before mozjpeg's full parsing.
      • Sandboxing: Isolate the mozjpeg process.

Threat: Out-of-Bounds Read in Huffman Decoding

  • Description: An attacker crafts a JPEG image with a corrupted or malicious Huffman table. When mozjpeg's Huffman decoding routines attempt to decode the image data, they read beyond the bounds of allocated memory due to the invalid table. This is a direct vulnerability in mozjpeg's Huffman decoding implementation.
    • Impact:
      • Denial of Service (DoS) due to application crashes.
      • Information disclosure (leaking memory contents).
      • Potentially, arbitrary code execution (less likely than DoS or information disclosure).
    • Affected mozjpeg Component:
      • djpeg (decompression) component.
      • Huffman decoding functions (e.g., functions within jdhuff.c, jdphuff.c).
    • Risk Severity: High (DoS and information disclosure are likely; code execution is possible but less probable).
    • Mitigation Strategies:
      • Update mozjpeg: This is the primary defense.
      • Input Validation: Basic checks on the Huffman table definitions in the JPEG header (though full validation is complex and best left to mozjpeg).
      • Sandboxing: Isolate the mozjpeg process.

Threat: Denial of Service via Excessive Memory Allocation

  • Description: An attacker provides an image that, while seemingly valid according to basic checks, triggers mozjpeg's internal memory allocation routines to allocate an extremely large amount of memory, leading to a denial-of-service. This exploits how mozjpeg handles image data internally.
    • Impact:
      • Denial of Service (DoS) – the application becomes unresponsive or crashes.
    • Affected mozjpeg Component:
      • cjpeg (compression) and djpeg (decompression) components.
      • Memory allocation functions throughout the library (e.g., jpeg_alloc_huff_table, jpeg_alloc_quant_table, functions that allocate memory for image buffers).
    • Risk Severity: High (DoS is highly likely).
    • Mitigation Strategies:
      • Input Validation:
        • Strictly enforce maximum image dimensions (width and height).
        • Enforce a maximum file size limit.
        • Limit the number of image components. These limits prevent mozjpeg from even attempting to allocate excessive memory.
      • Resource Limits:
        • Use operating system features to limit the maximum amount of memory that the mozjpeg process can allocate.
      • Timeouts: Implement timeouts for mozjpeg processing.