Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FLIF crash with specific image: heap-buffer-overflow #513

Open
fouzhe opened this issue Jun 10, 2018 · 7 comments
Open

FLIF crash with specific image: heap-buffer-overflow #513

fouzhe opened this issue Jun 10, 2018 · 7 comments

Comments

@fouzhe
Copy link

fouzhe commented Jun 10, 2018

Hi, all.
This PAM image file can cause crash.
It can cause heap-buffer-overflow. Here is ASAN result and I attached the file.

Thanks.

Execute the following command:

./flif --overwrite -e id\:000009\,sig\:06\,src\:000000\,op\:flip1\,pos\:39 2.flif

ASAN result:

Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...
=================================================================
==17011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000040c0 at pc 0x00000060ceed bp 0x7ffd4a59bad0 sp 0x7ffd4a59bac8
WRITE of size 4 at 0x61b0000040c0 thread T0
    #0 0x60ceec in TransformPaletteC<FileIO>::process(ColorRanges const*, std::vector<Image, std::allocator<Image> > const&) /home/fouzhe/my_fuzz/FLIF/src/transform/palette_C.hpp:130:112
    #1 0x775220 in bool flif_encode<FileIO>(FileIO&, std::vector<Image, std::allocator<Image> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, flif_options&) /home/fouzhe/my_fuzz/FLIF/src/flif-enc.cpp:914:22
    #2 0x53082a in encode_flif(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/fouzhe/my_fuzz/FLIF/src/flif.cpp:344:12
    #3 0x53bed0 in handle_encode(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/fouzhe/my_fuzz/FLIF/src/flif.cpp:360:12
    #4 0x53bed0 in main /home/fouzhe/my_fuzz/FLIF/src/flif.cpp:763
    #5 0x7f3b72d8882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x427418 in _start (/home/fouzhe/my_fuzz/FLIF/src/flif+0x427418)

Address 0x61b0000040c0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fouzhe/my_fuzz/FLIF/src/transform/palette_C.hpp:130:112 in TransformPaletteC<FileIO>::process(ColorRanges const*, std::vector<Image, std::allocator<Image> > const&)
Shadow bytes around the buggy address:
  0x0c367fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fff8810: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0c367fff8820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
@fouzhe
Copy link
Author

fouzhe commented Jun 11, 2018

This issue got assigned CVE-2018-12109

@hongxuchen
Copy link

This seems a duplicate to #502, #506 or the root cause is somewhat relevant.

@fgeek
Copy link

fgeek commented Jun 12, 2018

Yep, looks duplicate to me.

@fouzhe since you are fuzzing with afl you should minimize the crashing files as it's easier to analyze and use it as a test case:

AFL_TMIN_EXACT=1 afl-tmin

You need to use AFL_TMIN_EXACT option or otherwise you might end up having different crash as output.

@grinapo
Copy link

grinapo commented Oct 31, 2018

Just a friendly message passing: all flif code is being removed from Debian due to open and unfixed security issues (this one as well as several others): bug 903600

@d11mshepcar d11mshepcar mentioned this issue Apr 15, 2019
Merged
@jonsneyers
Copy link
Member

Oops, thanks for the message passing, I guess I have been neglecting to maintain FLIF ever since work on JPEG XL started to get serious.

Probably a bit unnecessary to still fix all the fuzzerbugs in flif; it's superseded as a codec anyway.

@grinapo
Copy link

grinapo commented Sep 3, 2021

It's your kid, not mine 😁 but until JPEG-XL gets released some people still use FLIF so at least the security errors would be prudent to be fixed. (And even after that: I am not sure JPEG-XL will handle old flif files.)

@jonsneyers
Copy link
Member

JPEG XL will certainly not handle old flif files, so yes, you'll still need flif to decode them to something cjxl can encode, if you want to convert them.

Is this issue fixed with #532?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fgeek @hongxuchen @grinapo @jonsneyers @fouzhe