New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack-buffer-overflow bug #192
Comments
Could you please make sure you've tested with LibRaw 0.19.1 (exactly)? Meanwhile, ynum_len check is definitely needed in code. |
Oh,I downloaded this project in the official website yesterday.
|
@DawnYang-cn you might want to quote program output text. See https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet#code "Blocks of code are either fenced by lines with three back-ticks". Thanks for your efforts! |
I got that! Thank you! |
Hello!
I am learning AFL-Fuzz recently,and I found a bug in this project.
POC is here
Please confirm
Best regards
Version
release 0.19.1
Environment
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609
disable-shared
./raw-identify POC
Information
=================================================================
==95677==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdcba9ac0 at pc 0x7f04239a06c3 bp 0x7fffdcba9020 sp 0x7fffdcba87c8
WRITE of size 45 at 0x7fffdcba9ac0 thread T0
#0 0x7f04239a06c2 in __interceptor_strncpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x766c2)
#1 0x487e28 in LibRaw::parse_makernote(int, int) internal/dcraw_common.cpp:10349
#2 0x499188 in LibRaw::parse_exif(int) internal/dcraw_common.cpp:11857
#3 0x4a9da2 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:13262
#4 0x4b5af2 in LibRaw::parse_tiff(int) internal/dcraw_common.cpp:14080
#5 0x4ce14f in LibRaw::identify() internal/dcraw_common.cpp:17781
#6 0x50e4c7 in LibRaw::open_datastream(LibRaw_abstract_datastream*) src/libraw_cxx.cpp:2014
#7 0x507894 in LibRaw::open_file(char const*, long long) src/libraw_cxx.cpp:1052
#8 0x404c16 in main samples/raw-identify.cpp:136
#9 0x7f04223f082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x4040f8 in _start (/home/dawn/Libraw-asan/LibRaw-0.19.1/bin/raw-identify+0x4040f8)
Address 0x7fffdcba9ac0 is located in stack of thread T0 at offset 2448 in frame
#0 0x48584d in LibRaw::parse_makernote(int, int) internal/dcraw_common.cpp:10091
This frame has 43 object(s):
[32, 33) 'uc'
[96, 97) 'uc'
[160, 162) 'table_buf_0x0116_len'
[224, 226) 'table_buf_0x2010_len'
[288, 290) 'table_buf_0x9050_len'
[352, 354) 'table_buf_0x9400_len'
[416, 418) 'table_buf_0x9402_len'
[480, 482) 'table_buf_0x9403_len'
[544, 546) 'table_buf_0x9406_len'
[608, 610) 'table_buf_0x940c_len'
[672, 674) 'table_buf_0x940e_len'
[736, 740) 'tag'
[800, 804) 'type'
[864, 868) 'len'
[928, 932) 'save'
[992, 996) 'c'
[1056, 1064) 'table_buf_0x0116'
[1120, 1128) 'table_buf_0x2010'
[1184, 1192) 'table_buf_0x9050'
[1248, 1256) 'table_buf_0x9400'
[1312, 1320) 'table_buf_0x9402'
[1376, 1384) 'table_buf_0x9403'
[1440, 1448) 'table_buf_0x9406'
[1504, 1512) 'table_buf_0x940c'
[1568, 1576) 'table_buf_0x940e'
[1632, 1648) 'wb'
[1696, 1712) 'wb'
[1760, 1784) 'oly_lensid'
[1824, 1856) 'words'
[1888, 1932) 'SamsungKey'
[1984, 1986) 'yy'
[2048, 2051) 'mm'
[2112, 2115) 'dd'
[2176, 2184) 'sOlyID'
[2240, 2249) 'buffer'
[2304, 2314) 'buf'
[2368, 2384) 'ystr'
[2432, 2448) 'ynum' <== Memory access at offset 2448 overflows this variable
[2496, 2513) 'buffer'
[2560, 2580) 'LensInfo'
[2624, 2688) 'FujiSerial'
[2720, 2784) 'tbuf'
[2816, 3140) 'buf97'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strncpy
Shadow bytes around the buggy address:
0x10007b96d300: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 f2 f2
0x10007b96d310: f2 f2 00 00 00 00 00 04 f4 f4 f2 f2 f2 f2 02 f4
0x10007b96d320: f4 f4 f2 f2 f2 f2 03 f4 f4 f4 f2 f2 f2 f2 03 f4
0x10007b96d330: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 01
0x10007b96d340: f4 f4 f2 f2 f2 f2 00 02 f4 f4 f2 f2 f2 f2 00 00
=>0x10007b96d350: f4 f4 f2 f2 f2 f2 00 00[f4]f4 f2 f2 f2 f2 00 00
0x10007b96d360: 01 f4 f2 f2 f2 f2 00 00 04 f4 f2 f2 f2 f2 00 00
0x10007b96d370: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
0x10007b96d380: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
0x10007b96d390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007b96d3a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==95677==ABORTING
WRLAB
The text was updated successfully, but these errors were encountered: