Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
poc: poc.tiff.zip
reproduce steps:
result:
================================================================= ==28701==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc48fb70a0 at pc 0x0000006b4b25 bp 0x7ffc48fb6f90 sp 0x7ffc48fb6f88 READ of size 8 at 0x7ffc48fb70a0 thread T0 #0 0x6b4b24 in LibRaw::identify_process_dng_fields() /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1309:24 #1 0x69688e in LibRaw::identify() /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1055:4 #2 0x53e843 in LibRaw::open_datastream(LibRaw_abstract_datastream*) /home/casper/targets/struct/libraw/afl/BUILD/src/utils/open.cpp:390:4 #3 0x53d0fe in LibRaw::open_file(char const*, long long) /home/casper/targets/struct/libraw/afl/BUILD/src/utils/open.cpp:61:13 #4 0x4f5efa in main /home/casper/targets/struct/libraw/afl/BUILD/samples/dcraw_emu.cpp:562:28 #5 0x7f24ee8f1b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x41d829 in _start (/home/casper/targets/struct/libraw/afl/smallrun/dcraw_emu+0x41d829) Address 0x7ffc48fb70a0 is located in stack of thread T0 at offset 256 in frame #0 0x6adf8f in LibRaw::identify_process_dng_fields() /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1216 This frame has 10 object(s): [32, 40) 'illidx' (line 1247) [64, 72) 'cmidx' (line 1247) [96, 104) 'calidx' (line 1247) [128, 256) 'cc' (line 1263) <== Memory access at offset 256 overflows this variable [288, 384) 'cm' (line 1263) [416, 512) 'cam_xyz' (line 1263) [544, 560) 'csum' (line 1485) [576, 592) 'ccount' (line 1485) [608, 624) 'csum1359' (line 1504) [640, 656) 'ccount1360' (line 1504) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/casper/targets/struct/libraw/afl/BUILD/src/metadata/identify.cpp:1309:24 in LibRaw::identify_process_dng_fields() Shadow bytes around the buggy address: 0x1000091eedc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000091eedd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000091eede0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000091eedf0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 0x1000091eee00: 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000091eee10: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 0x1000091eee20: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 0x1000091eee30: 00 00 00 00 f2 f2 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2 0x1000091eee40: f8 f8 f2 f2 f8 f8 f3 f3 00 00 00 00 00 00 00 00 0x1000091eee50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000091eee60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==28701==ABORTING
The text was updated successfully, but these errors were encountered:
Already fixed by: 4feaed4
Sorry, something went wrong.
CVE-2020-24870 is allocated for this.
No branches or pull requests
poc:
poc.tiff.zip
reproduce steps:
result:
The text was updated successfully, but these errors were encountered: