-
Notifications
You must be signed in to change notification settings - Fork 0
/
libweb-crash.cc
114 lines (95 loc) · 5.62 KB
/
libweb-crash.cc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
//// Microsvuln
//// CVE-2023-4863 - Trigerring the libweb bug with libfuzzer
//// Notice : This is not a standard harness yet
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "src/dec/vp8li_dec.h"
#include "src/utils/bit_reader_utils.h"
#include "src/utils/huffman_utils.h"
#include "src/utils/utils.h"
#include "src/webp/format_constants.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size < 2) {
return 0;
}
const int root_bits = (data[0] % 8) + 1;
const size_t code_lengths_size = size - 1;
int* code_lengths = new int[code_lengths_size];
for (size_t i = 0; i < code_lengths_size; ++i) {
code_lengths[i] = data[i + 1];
}
const int table_size = 1 << root_bits;
HuffmanCode* root_table = new HuffmanCode[table_size];
memset(root_table, 0, table_size * sizeof(HuffmanCode));
int result = VP8LBuildHuffmanTable(root_table, root_bits, code_lengths, code_lengths_size);
delete[] root_table;
delete[] code_lengths;
(void)result;
return 0;
}
/*
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 37686638
INFO: Loaded 1 modules (7 inline 8-bit counters): 7 [0x559193315c10, 0x559193315c17),
INFO: Loaded 1 PC tables (7 PCs): 7 [0x559193315c18,0x559193315c88),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 31Mb
#3 NEW cov: 5 ft: 5 corp: 2/3b lim: 4 exec/s: 0 rss: 31Mb L: 2/2 MS: 1 CopyPart-
=================================================================
==2202660==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000053a0 at pc 0x55919328bd9a bp 0x7fffe9902cf0 sp 0x7fffe99024c0
WRITE of size 4 at 0x61b0000053a0 thread T0
#0 0x55919328bd99 in __asan_memcpy (/home/user/fuzztest/libwebp/newh65_4444+0xddd99) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#1 0x5591932cdfe3 in ReplicateValue /home/user/fuzztest/libwebp/src/utils/huffman_utils.c:59:18
#2 0x5591932cd887 in BuildHuffmanTable /home/user/fuzztest/libwebp/src/utils/huffman_utils.c:194:9
#3 0x5591932ca3b5 in VP8LBuildHuffmanTable /home/user/fuzztest/libwebp/src/utils/huffman_utils.c:224:18
#4 0x5591932c9fdf in LLVMFuzzerTestOneInput (/home/user/fuzztest/libwebp/newh65_4444+0x11bfdf) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#5 0x5591931f0343 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/fuzztest/libwebp/newh65_4444+0x42343) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#6 0x5591931efa99 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/fuzztest/libwebp/newh65_4444+0x41a99) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#7 0x5591931f1289 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/fuzztest/libwebp/newh65_4444+0x43289) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#8 0x5591931f1e05 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/user/fuzztest/libwebp/newh65_4444+0x43e05) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#9 0x5591931dff42 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/fuzztest/libwebp/newh65_4444+0x31f42) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#10 0x559193209c32 in main (/home/user/fuzztest/libwebp/newh65_4444+0x5bc32) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
#11 0x7f8fa430dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7f8fa430de3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x5591931d4984 in _start (/home/user/fuzztest/libwebp/newh65_4444+0x26984) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4)
Address 0x61b0000053a0 is a wild pointer inside of access range of size 0x000000000004.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/fuzztest/libwebp/newh65_4444+0xddd99) (BuildId: 7da08ad3a31e4e533ab3adc0d1df52a805bd6cb4) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c367fff8a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fff8a70: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2202660==ABORTING
MS: 1 CopyPart-; base unit: 71853c6197a6a7f222db0f1978c7cb232b87c5ee
0xa,0xa,0xa,0xa,
\012\012\012\012
artifact_prefix='./'; Test unit written to ./crash-3f3d2d8955322f325af6db2238355fa07007ebd9
*/