Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security_advisories/tinyexr_7953aea/
security_advisories/tinyexr_7953aea/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

A vulnerability in tinyexr (CVE-2018-12064)

There is a vulnerability in tinyexr (git repository: https://github.com/syoyo/tinyexr, Latest commit 7953aea on May 27, 2018).

git log

commit 7953aeaa372573fa4c33bb371ff9e9e224cc4e63
Merge: 9ccd039 917257c
Author: Syoyo Fujita <syoyo@lighttransport.com>
Date:   Sun May 27 01:01:10 2018 +0900

I build tinyexr with clang and address sanitizer. When testcase (see: https://github.com/ChijinZ/security_advisories/blob/master/tinyexr_7953aea/heap-buffer-overflow) is input into test_tinyexr (command: ./test_tinyexr testcase), a heap-buffer-overflow has triggered.

Address sanitizer provided information as below:

==28461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000027 at pc 0x00000055e7d0 bp 0x7ffc4ae2a370 sp 0x7ffc4ae2a368
READ of size 4 at 0x603000000027 thread T0
    #0 0x55e7cf in tinyexr::ReadChannelInfo(std::vector<tinyexr::ChannelInfo, std::allocator<tinyexr::ChannelInfo> >&, std::vector<unsigned char, std::allocator<unsigned char> > const&) /path/to/tinyexr/./tinyexr.h:7320:5
    #1 0x53bb5a in tinyexr::ParseEXRHeader(tinyexr::HeaderInfo*, bool*, _EXRVersion const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, unsigned char const*, unsigned long) /path/to/tinyexr/./tinyexr.h:10304:12
    #2 0x53a27f in ParseEXRHeaderFromMemory /path/to/tinyexr/./tinyexr.h:11088:13
    #3 0x538f4f in ParseEXRHeaderFromFile /path/to/tinyexr/./tinyexr.h:12369:10
    #4 0x534c17 in LoadEXR /path/to/tinyexr/./tinyexr.h:10921:15
    #5 0x5680e5 in main /path/to/tinyexr/test_tinyexr.cc:130:13
    #6 0x7f8fa177d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41b288 in _start (/path/to/tinyexr/test_tinyexr+0x41b288)

0x603000000027 is located 0 bytes to the right of 23-byte region [0x603000000010,0x603000000027)
allocated by thread T0 here:
    #0 0x516f48 in operator new(unsigned long) /home/ubuntu/llvm/llvm-6.0.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #1 0x55d30a in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/ext/new_allocator.h:104:27
    #2 0x55d30a in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/alloc_traits.h:491
    #3 0x55d30a in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:170
    #4 0x55d30a in std::vector<unsigned char, std::allocator<unsigned char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/vector.tcc:557
    #5 0x55d30a in std::vector<unsigned char, std::allocator<unsigned char> >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:676
    #6 0x55d30a in tinyexr::ReadAttribute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<unsigned char, std::allocator<unsigned char> >*, unsigned long*, char const*, unsigned long) /path/to/tinyexr/./tinyexr.h:7215
    #7 0x53b24f in tinyexr::ParseEXRHeader(tinyexr::HeaderInfo*, bool*, _EXRVersion const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, unsigned char const*, unsigned long) /path/to/tinyexr/./tinyexr.h:10234:10
    #8 0x53a27f in ParseEXRHeaderFromMemory /path/to/tinyexr/./tinyexr.h:11088:13
    #9 0x538f4f in ParseEXRHeaderFromFile /path/to/tinyexr/./tinyexr.h:12369:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /path/to/tinyexr/./tinyexr.h:7320:5 in tinyexr::ReadChannelInfo(std::vector<tinyexr::ChannelInfo, std::allocator<tinyexr::ChannelInfo> >&, std::vector<unsigned char, std::allocator<unsigned char> > const&)
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00[07]fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
==28461==ABORTING
=================================================================