It exists a buffer overflow when use function raw2image()

[fantasyoung]

Description

When use function raw2image(),it will be buffer overflow

My test program

4channels in Libraw/bin

Command and argument

./configure --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb
./4channels ../../../output2/dcraw_emu2/crashes/id:000000,sig:11,src:002769+002786,op:splice,rep:4

Crash Information

Processing file ../../../output2/dcraw_emu2/crashes/id:000000,sig:11,src:002769+002786,op:splice,rep:4
ASAN:SIGSEGV
=================================================================
==47956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042a61d bp 0x7ffdaf5c2c00 sp 0x7ffdaf5c2b20 T0)
    #0 0x42a61c in LibRaw::raw2image() src/libraw_cxx.cpp:3409
    #1 0x404824 in main samples/4channels.cpp:110
    #2 0x7fc4d13ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x403df8 in _start (/home/wind/libraw_fuzz_new/as_libraw/LibRaw-master/bin/4channels+0x403df8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/libraw_cxx.cpp:3409 LibRaw::raw2image()
==47956==ABORTING

POC File

crash.zip

CREDIT

pu!m,Huawei Weiran Labs

[LibRaw]

Could you please specify what LibRaw version (branch, commit ID, etc) has this problem?

Just checked with 4channels from current master branch: it refuses your crash sample at early stage.

[fantasyoung]

It's the master branch,commit ID is e6c6d25.

[LibRaw]

This is not buffer overflow, but possible write at 0. Fixed in this patch: 7e29b9f

[fantasyoung]

This crash is also existing in the latest commit 7e29b9f
When I execute my sample,the program will be like this

LibRaw-0.19.1/bin# ./4channels ../0000 
Processing file ../0000
Segmentation fault

And when I use AddressSanitizer,the program will be like this

Processing file ../../../4channels_output/output2/4channels2/crashes/id:000000,sig:11,src:002769+002786,op:splice,rep:4
ASAN:SIGSEGV
=================================================================
==44409==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042a61d bp 0x7fffa994dca0 sp 0x7fffa994dbc0 T0)
    #0 0x42a61c in LibRaw::raw2image() src/libraw_cxx.cpp:3409
    #1 0x404824 in main samples/4channels.cpp:110
    #2 0x7f13207ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x403df8 in _start (/home/wind/libraw_fuzz_new/LibRaw_new/LibRaw-master/bin/4channels+0x403df8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/libraw_cxx.cpp:3409 LibRaw::raw2image()
==44409==ABORTING

[LibRaw]

Could not confirm that: just recompiled latest commit with clang, there is no SEGV in raw2image

./bin/4channels ~/asan/0000.raw

Processing file /home/lexa/asan/0000.raw
Black level (unscaled)=0
Writing file /home/lexa/asan/0000.raw.R.tiff
Writing file /home/lexa/asan/0000.raw.G.tiff
Writing file /home/lexa/asan/0000.raw.B.tiff
Writing file /home/lexa/asan/0000.raw.G2.tiff

[fantasyoung]

After I confirmd,in the latest 7e29b9f,it is like this

./4channels ../../../0000.raw
Processing file ../../../0000.raw
Black level (unscaled)=0
Writing file ../../../0000.raw.R.tiff
lt-4channels: malloc.c:2394: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Aborted

My environment is Linux ubuntu 4.15.0-42-generic #45~16.04.1-Ubuntu SMP Mon Nov 19 13:02:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
And previous issue SEGV is in e6c6d25.When I commit the SEGV issue,you don't update the latest 7e29b9f.

[LibRaw]

Your latest report (malloc assertion) definitely points to some other problem, because raw2image is already done before black level subtraction (reported) and file write

[carnil]

This is was assigned CVE-2018-20363

[LibRaw]

This specific initial case is definitely resolved. Please open other issue if there is another problem (not raw2image/raw2image_ex/copy_bayer related).