Heap Out of Bounds Access (72839282)

[Google-Autofuzz]

Hello OpenEXR team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
OpenEXR (tested with revision * develop 165dcea).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:

• mkdir project
• cp Dockerfile.OpenEXR /path/to/project/Dockerfile
• docker build --no-cache /path/to/project
• docker run -it image_id_from_docker_build

From another terminal, outside the container:
docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
/fuzzing/repro.sh /fuzzing/reproducer

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

=================================================================
==21==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ed11 at pc 0x0000006dfb78 bp 0x7fff0badf6f0 sp 0x7fff0badf6e8
READ of size 1 at 0x60300000ed11 thread T0
    #0 0x6dfb77 in inflate /fuzzing/zlib/inflate.c:662:13
    #1 0x6c9c68 in uncompress2 /fuzzing/zlib/uncompr.c:70:15
    #2 0x6c9f8d in uncompress /fuzzing/zlib/uncompr.c:92:12
    #3 0x6231c3 in Imf_2_2::Zip::uncompress(char const*, int, char*) /fuzzing/openexr/OpenEXR/IlmImf/ImfZip.cpp:148:17
    #4 0x561e20 in Imf_2_2::ZipCompressor::uncompress(char const*, int, int, char const*&) /fuzzing/openexr/OpenEXR/IlmImf/ImfZipCompressor.cpp:119:24
    #5 0x655ec4 in Imf_2_2::(anonymous namespace)::LineBufferTask::execute() /fuzzing/openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:540:66
    #6 0x6bf8f4 in IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) /fuzzing/openexr/IlmBase/IlmThread/IlmThreadPool.cpp:433:15
    #7 0x65154c in Imf_2_2::ScanLineInputFile::readPixels(int, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1612:17
    #8 0x633995 in Imf_2_2::InputFile::readPixels(int, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfInputFile.cpp:815:23
    #9 0x55de1f in Imf_2_2::RgbaInputFile::readPixels(int, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfRgbaFile.cpp:1302:14
    #10 0x524a7a in (anonymous namespace)::readSingle(char const*) /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_scanlines.cc:36:52
    #11 0x524805 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_scanlines.cc:113:3
    #12 0x516d9c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/openexr_fuzz_scanlines+0x516d9c)
    #13 0x51655e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/fuzzing/openexr_fuzz_scanlines+0x51655e)
    #14 0x5103bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) (/fuzzing/openexr_fuzz_scanlines+0x5103bd)
    #15 0x51188f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/openexr_fuzz_scanlines+0x51188f)
    #16 0x51026c in main (/fuzzing/openexr_fuzz_scanlines+0x51026c)
    #17 0x7f7c709262b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #18 0x425979 in _start (/fuzzing/openexr_fuzz_scanlines+0x425979)

0x60300000ed11 is located 0 bytes to the right of 1-byte region [0x60300000ed10,0x60300000ed11)
allocated by thread T0 here:
    #0 0x4d5d00 in posix_memalign (/fuzzing/openexr_fuzz_scanlines+0x4d5d00)
    #1 0x64e21c in Imf_2_2::EXRAllocAligned(unsigned long, unsigned long) /fuzzing/openexr/OpenEXR/IlmImf/./ImfSystemSpecific.h:66:5
    #2 0x64db12 in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /fuzzing/openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1132:58
    #3 0x64e728 in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190:5
    #4 0x631103 in Imf_2_2::InputFile::initialize() /fuzzing/openexr/OpenEXR/IlmImf/ImfInputFile.cpp:553:32
    #5 0x62feb4 in Imf_2_2::InputFile::InputFile(char const*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfInputFile.cpp:382:13
    #6 0x55cb1a in Imf_2_2::RgbaInputFile::RgbaInputFile(char const*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfRgbaFile.cpp:1166:21
    #7 0x524984 in (anonymous namespace)::readSingle(char const*) /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_scanlines.cc:20:14
    #8 0x524805 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_scanlines.cc:113:3
    #9 0x516d9c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/openexr_fuzz_scanlines+0x516d9c)
    #10 0x51026c in main (/fuzzing/openexr_fuzz_scanlines+0x51026c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/zlib/inflate.c:662:13 in inflate
Shadow bytes around the buggy address:
  0x0c067fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c067fff9da0: fa fa[01]fa fa fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9db0: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff9dc0: 00 00 00 fa fa fa 00 00 05 fa fa fa 00 00 00 fa
  0x0c067fff9dd0: fa fa 00 00 00 fa fa fa 00 00 05 fa fa fa 00 00
  0x0c067fff9de0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
  0x0c067fff9df0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

A possible patch for this issue has been attached for your consideration.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

artifacts_72839282.zip
72839282.txt

[peterhillman]

Same issue as #271 and fixed with PR #437