New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It exists a buffer overflow when use function raw2image() #193

Closed
windpraying opened this Issue Dec 19, 2018 · 9 comments

Comments

Projects
None yet
3 participants
@windpraying
Copy link

windpraying commented Dec 19, 2018

Description

When use function raw2image(),it will be buffer overflow

My test program

4channels in Libraw/bin

Command and argument

./configure --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb
./4channels ../../../output2/dcraw_emu2/crashes/id:000000,sig:11,src:002769+002786,op:splice,rep:4

Crash Information

Processing file ../../../output2/dcraw_emu2/crashes/id:000000,sig:11,src:002769+002786,op:splice,rep:4
ASAN:SIGSEGV
=================================================================
==47956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042a61d bp 0x7ffdaf5c2c00 sp 0x7ffdaf5c2b20 T0)
    #0 0x42a61c in LibRaw::raw2image() src/libraw_cxx.cpp:3409
    #1 0x404824 in main samples/4channels.cpp:110
    #2 0x7fc4d13ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x403df8 in _start (/home/wind/libraw_fuzz_new/as_libraw/LibRaw-master/bin/4channels+0x403df8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/libraw_cxx.cpp:3409 LibRaw::raw2image()
==47956==ABORTING

POC File

crash.zip

CREDIT

pu!m,Huawei Weiran Labs

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 19, 2018

Could you please specify what LibRaw version (branch, commit ID, etc) has this problem?

Just checked with 4channels from current master branch: it refuses your crash sample at early stage.

@windpraying

This comment has been minimized.

Copy link

windpraying commented Dec 19, 2018

It's the master branch,commit ID is e6c6d25.

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 19, 2018

This is not buffer overflow, but possible write at 0. Fixed in this patch: 7e29b9f

@LibRaw LibRaw closed this Dec 19, 2018

@windpraying

This comment has been minimized.

Copy link

windpraying commented Dec 20, 2018

This crash is also existing in the latest commit 7e29b9f
When I execute my sample,the program will be like this

LibRaw-0.19.1/bin# ./4channels ../0000 
Processing file ../0000
Segmentation fault

And when I use AddressSanitizer,the program will be like this

Processing file ../../../4channels_output/output2/4channels2/crashes/id:000000,sig:11,src:002769+002786,op:splice,rep:4
ASAN:SIGSEGV
=================================================================
==44409==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042a61d bp 0x7fffa994dca0 sp 0x7fffa994dbc0 T0)
    #0 0x42a61c in LibRaw::raw2image() src/libraw_cxx.cpp:3409
    #1 0x404824 in main samples/4channels.cpp:110
    #2 0x7f13207ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x403df8 in _start (/home/wind/libraw_fuzz_new/LibRaw_new/LibRaw-master/bin/4channels+0x403df8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/libraw_cxx.cpp:3409 LibRaw::raw2image()
==44409==ABORTING

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 20, 2018

Could not confirm that: just recompiled latest commit with clang, there is no SEGV in raw2image

./bin/4channels ~/asan/0000.raw

Processing file /home/lexa/asan/0000.raw
Black level (unscaled)=0
Writing file /home/lexa/asan/0000.raw.R.tiff
Writing file /home/lexa/asan/0000.raw.G.tiff
Writing file /home/lexa/asan/0000.raw.B.tiff
Writing file /home/lexa/asan/0000.raw.G2.tiff

@windpraying

This comment has been minimized.

Copy link

windpraying commented Dec 20, 2018

After I confirmd,in the latest 7e29b9f,it is like this

./4channels ../../../0000.raw
Processing file ../../../0000.raw
Black level (unscaled)=0
Writing file ../../../0000.raw.R.tiff
lt-4channels: malloc.c:2394: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Aborted

My environment is Linux ubuntu 4.15.0-42-generic #45~16.04.1-Ubuntu SMP Mon Nov 19 13:02:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
And previous issue SEGV is in e6c6d25.When I commit the SEGV issue,you don't update the latest 7e29b9f.

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 20, 2018

Your latest report (malloc assertion) definitely points to some other problem, because raw2image is already done before black level subtraction (reported) and file write

@carnil

This comment has been minimized.

Copy link

carnil commented Dec 22, 2018

This is was assigned CVE-2018-20363

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 24, 2018

This specific initial case is definitely resolved. Please open other issue if there is another problem (not raw2image/raw2image_ex/copy_bayer related).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment