Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERROR-Segmentation fault #501

Open
EnchantedJohn opened this issue May 8, 2018 · 7 comments
Open

ERROR-Segmentation fault #501

EnchantedJohn opened this issue May 8, 2018 · 7 comments

Comments

@EnchantedJohn
Copy link

EnchantedJohn commented May 8, 2018

I used the AFL tool to find the bug of the image_load_pnm() method,
error is :
Starting program: /home/lx/5_7/flif/flif/src/flif -e id:000003,sig:11,src:000049,op:havoc,rep:2 test6.flif
Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...
Error: could not allocate enough memory for image buffer.

Program received signal SIGSEGV, Segmentation fault.
0x00000000004ac45a in set (x=, c=, r=0, p=0, this=0x7fffffffdfb0) at image/image.hpp:906
906 planes[p]->set(r,c,x);

The following is which is the gdb stack
image

Then the following is gdb's instructions and registers

(gdb) x/i $pc
=> 0x4ac45a <image_load_pnm(char const*, Image&)+5210>: mov (%rdi),%r10
(gdb) i r
rax 0xffffffff 4294967295
rbx 0xffffffff 4294967295
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0x0 0
rbp 0x1 0x1
rsp 0x7fffffffdd90 0x7fffffffdd90
r8 0x7ffff7fca780 140737353918336
r9 0x7461636f6c6c6120 8386093311352135968
r10 0x7fffffffdb50 140737488345936
r11 0x246 582
r12 0x0 0
r13 0x80 128
r14 0x7fffffffdfb0 140737488347056
r15 0xfffffe44 4294966852
rip 0x4ac45a 0x4ac45a <image_load_pnm(char const*, Image&)+5210>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

@EnchantedJohn EnchantedJohn changed the title BUG Program received signal SIGSEGV, Segmentation fault ERROR-Segmentation fault May 8, 2018
@EnchantedJohn
Copy link
Author

(gdb) bt
#0 0x00000000004ac45a in set (x=, c=, r=0, p=0, this=0x7fffffffdfb0) at image/image.hpp:906
#1 image_load_pnm (filename=, filename@entry=0x7fffffffe5bc "id:000003,sig:11,src:000049,op:havoc,rep:2", image=...) at image/image-pnm.cpp:81
#2 0x0000000000479a9b in Image::load (this=this@entry=0x7fffffffdfb0, filename=, filename@entry=0x7fffffffe5bc "id:000003,sig:11,src:000049,op:havoc,rep:2", options=...) at image/image.cpp:54
#3 0x0000000000454339 in encode_load_input_images (argc=, argc@entry=2, argv=argv@entry=0x7fffffffe318, images=std::vector of length 0, capacity 0, options=...) at flif.cpp:230
#4 0x0000000000468f35 in handle_encode (argc=2, argv=0x7fffffffe318, images=std::vector of length 0, capacity 0, options=...) at flif.cpp:356
#5 0x0000000000407c03 in main (argc=, argv=0x7fffffffe318) at flif.cpp:763

@EnchantedJohn
Copy link
Author

then i will provide the ASAN data:
Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...
==195378==WARNING: AddressSanitizer failed to allocate 0x0053ffffffbc bytes
==195378==AddressSanitizer's allocator is terminating the process instead of returning 0
==195378==If you don't like this behavior set allocator_may_return_null=1
==195378==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
#0 0x7f463a9b0d93 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x59d93)
#1 0x7f463a9b4cd3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5dcd3)
#2 0x7f463a970831 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x19831)
#3 0x7f463a9b3531 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5c531)
#4 0x7f463a9ac107 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x55107)
#5 0x4e3a45 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#6 0x4e3a45 in std::allocator_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:488
#7 0x4e3a45 in std::_Vector_base<unsigned char, std::allocator >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#8 0x4e3a45 in std::_Vector_base<unsigned char, std::allocator >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
#9 0x4e3a45 in _Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
#10 0x4e3a45 in vector /usr/include/c++/4.9/bits/stl_vector.h:291
#11 0x4e3a45 in Plane image/image.hpp:231
#12 0x4e3a45 in std::unique_ptr<Plane, std::default_delete<Plane > > make_unique<Plane, unsigned long&, unsigned long&, int, int&>(unsigned long&, unsigned long&, int&&, int&) image/image.hpp:159
#13 0x4e8582 in Image::real_init(bool) image/image.hpp:728
#14 0x4f6c65 in Image::init(unsigned int, unsigned int, int, int, int) image/image.hpp:687
#15 0x4f6c65 in image_load_pnm(char const*, Image&) image/image-pnm.cpp:75
#16 0x4c3dea in Image::load(char const*, metadata_options&) image/image.cpp:54
#17 0x4a25b2 in encode_load_input_images(int, char**, std::vector<Image, std::allocator >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:230
#18 0x4b30d4 in handle_encode(int, char**, std::vector<Image, std::allocator >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:356
#19 0x408c14 in main /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:763
#20 0x7f4639e5ff44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#21 0x49f14f (/home/lx/5_7/ASAN/FLIF-master/src/flif+0x49f14f)

@EnchantedJohn
Copy link
Author

gdb-peda$ x/x 0x0053ffffffbc
0x53ffffffbc: Cannot access memory at address 0x53ffffffbc

then I use gdb want to access 0x0053ffffffbc.but I can't. then I read the image-pnm.cpp.I find the reason of this error。
I think it is Buffer OverFlow

@fgeek
Copy link

fgeek commented May 13, 2018

CVE-2018-10971 has been assigned for this issue (not requested by me).

@fgeek
Copy link

fgeek commented May 13, 2018

@EnchantedJohn include sample PoC file to this issue e.g. inside zip file.

@EnchantedJohn
Copy link
Author

Thanks,I will close it.

@fgeek
Copy link

fgeek commented May 25, 2018

@EnchantedJohn You have misunderstood something. You should not close these issue reports before these have been fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants