Skip to content

It exists heap-buffer-overflow when use function raw2image() #195

Closed
@fantasyoung

Description

@fantasyoung

Description

It exists heap-buffer-overflow in LibRaw::raw2image() src/libraw_cxx.cpp:3423

My test program

4channels in Libraw/bin

Command and argument

./4channels 4channels_crash

Crash Information

The output of exampletest with address sanitizer enabled

==98918==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62800000b900 at pc 0x7f498eedbe62 bp 0x7fff93fa5040 sp 0x7fff93fa47e8
WRITE of size 208 at 0x62800000b900 thread T0
    #0 0x7f498eedbe61 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce61)
    #1 0x42aae0 in LibRaw::raw2image() src/libraw_cxx.cpp:3423
    #2 0x404824 in main samples/4channels.cpp:110
    #3 0x7f498db6c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x403df8 in _start (/home/wind/libraw_fuzz_new/as_libraw_7e29b/LibRaw-7e29b9f29449fde30cc878fbb137d61c14bba3a4/bin/4channels+0x403df8)

0x62800000b900 is located 0 bytes to the right of 14336-byte region [0x628000008100,0x62800000b900)
allocated by thread T0 here:
    #0 0x7f498eee779a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x455d8f in libraw_memmgr::calloc(unsigned long, unsigned long) libraw/libraw_alloc.h:56
    #2 0x410458 in LibRaw::calloc(unsigned long, unsigned long) src/libraw_cxx.cpp:557
    #3 0x429b34 in LibRaw::raw2image() src/libraw_cxx.cpp:3369
    #4 0x404824 in main samples/4channels.cpp:110
    #5 0x7f498db6c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
  0x0c507fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff9710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c507fff9720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==98918==ABORTING

Version

the commit is 7e29b9f

POC File

crash.zip

CREDIT

pu!m,Weiran Labs

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions