Skip to content

CVE-2018-19535: AddressSanitizer: heap-buffer-overflow at pngchunk_int.cpp:635 #428

Closed
@hongxuchen

Description

@hongxuchen

When running exiv2 $FILE (5940c6f) against png files, , ASAN reports a heap-buffer-overflow error.

POCs:
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_pngchunk_int.cpp:635_1.png
https://github.com/ntu-sec/pocs/blob/master/exiv2-5940c6f3/crashes/hbo_pngchunk_int.cpp:635_2.png

ASAN output:

=================================================================
==32119==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000001bf at pc 0x7fea19eca9aa bp 0x7ffd00c71d70 sp 0x7ffd00c71d68
READ of size 1 at 0x6070000001bf thread T0
    #0 0x7fea19eca9a9 in Exiv2::Internal::PngChunk::readRawProfile(Exiv2::DataBuf const&, bool) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:635:16
    #1 0x7fea19ec7228 in Exiv2::Internal::PngChunk::parseChunkContent(Exiv2::Image*, unsigned char const*, long, Exiv2::DataBuf) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:258:32
    #2 0x7fea19ec4f6f in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:91:9
    #3 0x7fea19d74647 in Exiv2::PngImage::readMetadata() /home/hongxu/FOT/exiv2/src/pngimage.cpp:495:21
    #4 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
    #5 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
    #6 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
    #7 0x7fea18220b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x435ac9 in _start (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x435ac9)

0x6070000001bf is located 0 bytes to the right of 79-byte region [0x607000000170,0x6070000001bf)
allocated by thread T0 here:
    #0 0x52e0f0 in operator new[](unsigned long) (/home/hongxu/FOT/exiv2/install/bin/exiv2+0x52e0f0)
    #1 0x7fea19ce7af9 in Exiv2::DataBuf::DataBuf(unsigned char const*, long) /home/hongxu/FOT/exiv2/src/types.cpp:138:22
    #2 0x7fea19ec6831 in Exiv2::Internal::PngChunk::parseTXTChunk(Exiv2::DataBuf const&, int, Exiv2::Internal::PngChunk::TxtChunkType) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:216:27
    #3 0x7fea19ec4dcc in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:85:23
    #4 0x7fea19d74647 in Exiv2::PngImage::readMetadata() /home/hongxu/FOT/exiv2/src/pngimage.cpp:495:21
    #5 0x55b70c in Action::Print::printSummary() /home/hongxu/FOT/exiv2/src/actions.cpp:288:16
    #6 0x55a19a in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/hongxu/FOT/exiv2/src/actions.cpp:248:48
    #7 0x532dcb in main /home/hongxu/FOT/exiv2/src/exiv2.cpp:166:29
    #8 0x7fea18220b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/exiv2/src/pngchunk_int.cpp:635:16 in Exiv2::Internal::PngChunk::readRawProfile(Exiv2::DataBuf const&, bool)
Shadow bytes around the buggy address:
  0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff8010: fa fa 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
=>0x0c0e7fff8030: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
  0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32119==ABORTING

Metadata

Metadata

Labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions