Skip to content

Double-Free of ImageReadJPEG #80

Closed
@NigelX

Description

@NigelX

Hi

I found an crash erro.

System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0

DIPliB Release v3.0.0

commit:7db848500f4cc5db676b32e9a95dcbc94d976339

[poc1.zip](https://github.com/DIPlib/diplib/files/6966666/poc1.zip) (edit: careful with this, looks malicious)


Verification steps:
1.Get the source code of DIPliB
2.Compile the DIPliB and poc.cc

$ cd diplib
$ mkdir build && cd build
$ cmake ../ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address" -DCMAKE_CXX_FLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address"
$ make -j 32
$ sudo make install
$ cp src/libDIP.so ./
$ clang++ -g poc.cc -O2 -fno-omit-frame-pointer -fsanitize=address  -fsanitize-coverage=bb -I/usr/local/include -lDIP -L. -Wl,-rpath,. -o poc

3.run poc

$ ./poc crash.jpg

asan info

=================================================================
==2969722==ERROR: AddressSanitizer: attempting double-free on 0x60b0000001a0 in thread T0:
    #0 0x4c5ccd in operator delete(void*) (/home/topsec/Downloads/diplib/build/poc+0x4c5ccd)
    #1 0x7f036377cf05 in dip::ImageReadJPEG(dip::Image&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h
    #2 0x4c870c in dip::ImageReadJPEG(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/local/include/diplib/file_io.h:356:4
    #3 0x4c870c in main /home/topsec/Downloads/diplib/build/poc.cc:20:19
    #4 0x7f03623c60b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41d5bd in _start (/home/topsec/Downloads/diplib/build/poc+0x41d5bd)

0x60b0000001a0 is located 0 bytes inside of 99-byte region [0x60b0000001a0,0x60b000000203)
freed by thread T0 here:
    #0 0x4c5ccd in operator delete(void*) (/home/topsec/Downloads/diplib/build/poc+0x4c5ccd)
    #1 0x7f036377f4e5 in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:128:2
    #2 0x7f036377f4e5 in std::allocator_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:470:13
    #3 0x7f036377f4e5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:237:9
    #4 0x7f036377f4e5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:232:4
    #5 0x7f036377f4e5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:658:9
    #6 0x7f036377f4e5 in dip::(anonymous namespace)::JpegInput::JpegInput(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/topsec/Downloads/diplib/src/file_io/jpeg.cpp:77:7
    #7 0x7f036377bed2 in dip::ImageReadJPEG(dip::Image&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/topsec/Downloads/diplib/src/file_io/jpeg.cpp:194:4
    #8 0x4c870c in dip::ImageReadJPEG(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/local/include/diplib/file_io.h:356:4
    #9 0x4c870c in main /home/topsec/Downloads/diplib/build/poc.cc:20:19
    #10 0x7f03623c60b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4c546d in operator new(unsigned long) (/home/topsec/Downloads/diplib/build/poc+0x4c546d)
    #1 0x7f036377b4a6 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.tcc:219:14
    #2 0x7f036377b4a6 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*>(char*, char*, std::__false_type) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:247:11
    #3 0x7f036377b4a6 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:266:4
    #4 0x7f036377b4a6 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:451:9
    #5 0x7f036377b4a6 in dip::ImageReadJPEG(dip::Image&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/topsec/Downloads/diplib/src/file_io/jpeg.cpp:181:20
    #6 0x4c870c in dip::ImageReadJPEG(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/local/include/diplib/file_io.h:356:4
    #7 0x4c870c in main /home/topsec/Downloads/diplib/build/poc.cc:20:19
    #8 0x7f03623c60b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: double-free (/home/topsec/Downloads/diplib/build/poc+0x4c5ccd) in operator delete(void*)
==2969722==ABORTING

Thank you,
Product Security

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions