Closed
Description
Description
It exists heap-buffer-overflow in LibRaw::raw2image() src/libraw_cxx.cpp:3423
My test program
4channels in Libraw/bin
Command and argument
./4channels 4channels_crash
Crash Information
The output of exampletest with address sanitizer enabled
==98918==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62800000b900 at pc 0x7f498eedbe62 bp 0x7fff93fa5040 sp 0x7fff93fa47e8
WRITE of size 208 at 0x62800000b900 thread T0
#0 0x7f498eedbe61 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce61)
#1 0x42aae0 in LibRaw::raw2image() src/libraw_cxx.cpp:3423
#2 0x404824 in main samples/4channels.cpp:110
#3 0x7f498db6c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x403df8 in _start (/home/wind/libraw_fuzz_new/as_libraw_7e29b/LibRaw-7e29b9f29449fde30cc878fbb137d61c14bba3a4/bin/4channels+0x403df8)
0x62800000b900 is located 0 bytes to the right of 14336-byte region [0x628000008100,0x62800000b900)
allocated by thread T0 here:
#0 0x7f498eee779a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x455d8f in libraw_memmgr::calloc(unsigned long, unsigned long) libraw/libraw_alloc.h:56
#2 0x410458 in LibRaw::calloc(unsigned long, unsigned long) src/libraw_cxx.cpp:557
#3 0x429b34 in LibRaw::raw2image() src/libraw_cxx.cpp:3369
#4 0x404824 in main samples/4channels.cpp:110
#5 0x7f498db6c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
0x0c507fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff9710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c507fff9720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==98918==ABORTING
Version
the commit is 7e29b9f
POC File
CREDIT
pu!m,Weiran Labs
Metadata
Metadata
Assignees
Labels
No labels