Skip to content

a heap overflow when load a bmp image #183

Closed
@xiaoqx

Description

@xiaoqx

a heap overflow occurs when load a crafted bmp image using cimg.
the bug report as following with address sanitizer:

=================================================================
==6193==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f91792ff800 at pc 0x00000049dd13 bp 0x7ffee7a8e890 sp 0x7ffee7a8e880
READ of size 1 at 0x7f91792ff800 thread T0
#0 0x49dd12 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48457
#1 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280
#2 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122
#3 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514
#4 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161
#5 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25
#6 0x7f917bb8f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

0x7f91792ff800 is located 0 bytes to the right of 6287360-byte region [0x7f9178d00800,0x7f91792ff800)
allocated by thread T0 here:
#0 0x7f917ca906b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x433fb6 in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379
#2 0x49a75d in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int, unsigned char const&) ../CImg.h:11399
#3 0x49a75d in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48348
#4 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280
#5 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122
#6 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514
#7 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161
#8 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25

SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48457 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*)
Shadow bytes around the buggy address:
0x0ff2af257eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2af257ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2af257ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2af257ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2af257ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff2af257f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2af257f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2af257f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2af257f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2af257f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2af257f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6193==ABORTING

the testcase please refer:
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-heap-overflow-1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions