Skip to content

Stack-buffer-overflow bug #192

Closed
Closed
@DawnYang-cn

Description

@DawnYang-cn

Hello!
I am learning AFL-Fuzz recently,and I found a bug in this project.
POC is here
Please confirm
Best regards

Version

release 0.19.1

Environment

gcc (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609
disable-shared
./raw-identify POC

Information

=================================================================
==95677==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdcba9ac0 at pc 0x7f04239a06c3 bp 0x7fffdcba9020 sp 0x7fffdcba87c8
WRITE of size 45 at 0x7fffdcba9ac0 thread T0
#0 0x7f04239a06c2 in __interceptor_strncpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x766c2)
#1 0x487e28 in LibRaw::parse_makernote(int, int) internal/dcraw_common.cpp:10349
#2 0x499188 in LibRaw::parse_exif(int) internal/dcraw_common.cpp:11857
#3 0x4a9da2 in LibRaw::parse_tiff_ifd(int) internal/dcraw_common.cpp:13262
#4 0x4b5af2 in LibRaw::parse_tiff(int) internal/dcraw_common.cpp:14080
#5 0x4ce14f in LibRaw::identify() internal/dcraw_common.cpp:17781
#6 0x50e4c7 in LibRaw::open_datastream(LibRaw_abstract_datastream*) src/libraw_cxx.cpp:2014
#7 0x507894 in LibRaw::open_file(char const*, long long) src/libraw_cxx.cpp:1052
#8 0x404c16 in main samples/raw-identify.cpp:136
#9 0x7f04223f082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x4040f8 in _start (/home/dawn/Libraw-asan/LibRaw-0.19.1/bin/raw-identify+0x4040f8)

Address 0x7fffdcba9ac0 is located in stack of thread T0 at offset 2448 in frame
#0 0x48584d in LibRaw::parse_makernote(int, int) internal/dcraw_common.cpp:10091

This frame has 43 object(s):
[32, 33) 'uc'
[96, 97) 'uc'
[160, 162) 'table_buf_0x0116_len'
[224, 226) 'table_buf_0x2010_len'
[288, 290) 'table_buf_0x9050_len'
[352, 354) 'table_buf_0x9400_len'
[416, 418) 'table_buf_0x9402_len'
[480, 482) 'table_buf_0x9403_len'
[544, 546) 'table_buf_0x9406_len'
[608, 610) 'table_buf_0x940c_len'
[672, 674) 'table_buf_0x940e_len'
[736, 740) 'tag'
[800, 804) 'type'
[864, 868) 'len'
[928, 932) 'save'
[992, 996) 'c'
[1056, 1064) 'table_buf_0x0116'
[1120, 1128) 'table_buf_0x2010'
[1184, 1192) 'table_buf_0x9050'
[1248, 1256) 'table_buf_0x9400'
[1312, 1320) 'table_buf_0x9402'
[1376, 1384) 'table_buf_0x9403'
[1440, 1448) 'table_buf_0x9406'
[1504, 1512) 'table_buf_0x940c'
[1568, 1576) 'table_buf_0x940e'
[1632, 1648) 'wb'
[1696, 1712) 'wb'
[1760, 1784) 'oly_lensid'
[1824, 1856) 'words'
[1888, 1932) 'SamsungKey'
[1984, 1986) 'yy'
[2048, 2051) 'mm'
[2112, 2115) 'dd'
[2176, 2184) 'sOlyID'
[2240, 2249) 'buffer'
[2304, 2314) 'buf'
[2368, 2384) 'ystr'
[2432, 2448) 'ynum' <== Memory access at offset 2448 overflows this variable
[2496, 2513) 'buffer'
[2560, 2580) 'LensInfo'
[2624, 2688) 'FujiSerial'
[2720, 2784) 'tbuf'
[2816, 3140) 'buf97'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strncpy
Shadow bytes around the buggy address:
0x10007b96d300: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 f2 f2
0x10007b96d310: f2 f2 00 00 00 00 00 04 f4 f4 f2 f2 f2 f2 02 f4
0x10007b96d320: f4 f4 f2 f2 f2 f2 03 f4 f4 f4 f2 f2 f2 f2 03 f4
0x10007b96d330: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 01
0x10007b96d340: f4 f4 f2 f2 f2 f2 00 02 f4 f4 f2 f2 f2 f2 00 00
=>0x10007b96d350: f4 f4 f2 f2 f2 f2 00 00[f4]f4 f2 f2 f2 f2 00 00
0x10007b96d360: 01 f4 f2 f2 f2 f2 00 00 04 f4 f2 f2 f2 f2 00 00
0x10007b96d370: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
0x10007b96d380: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
0x10007b96d390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007b96d3a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==95677==ABORTING

WRLAB

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions