Skip to content

other testcases lead to heap overflow by loading crafted images #185

Closed
@xiaoqx

Description

@xiaoqx

A heap overflow occurs at different location in CImg.h when loading the crafted image file . the tested code commit is 8447076.

the reports with address sanitizer as follows:

==4030==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ef9c at pc 0x000000494724 bp 0x7ffc58d04270 sp 0x7ffc58d04260
READ of size 1 at 0x60600000ef9c thread T0
#0 0x494723 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48397
#1 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280
#2 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122
#3 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514
#4 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161
#5 0x40215f injjj main /src/CImg/fuzz-test/bmp-test.cpp:25
#6 0x7ff32e56282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x4022f8 in _start (/src/CImg/fuzz-test/bmp-test+0x4022f8)

0x60600000ef9c is located 0 bytes to the right of 60-byte region [0x60600000ef60,0x60600000ef9c)
allocated by thread T0 here:
#0 0x7ff32f15a6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x40562f in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379
#2 0x4907f4 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48342
#3 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280
#4 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122
#5 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514
#6 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161
#7 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25

SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48397 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*)
Shadow bytes around the buggy address:
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9df0: 00 00 00[04]fa fa fa fa 00 00 00 00 00 00 06 fa
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4030==ABORTING

pocs :
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-heap-overflow-load_bmp-48378
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-heap-overflow-load_bmp-48397
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-heap-overflow-load_bmp-48457
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-heap-overflow-load_bmp-48413
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-heap-overflow-load_bmp-48427

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions