Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There exists heap-buffer-overflow when using function raw2image_ex(int) #557

Closed
DaisyPo opened this issue Jan 14, 2023 · 11 comments
Closed
Labels
waitforfeedback wait for reporter's feedback (10 days max)

Comments

@DaisyPo
Copy link

DaisyPo commented Jan 14, 2023

Description

There exists heap-buffer-overflow in LibRaw::raw2image_ex(int) src/preprocessing/raw2image.cpp:492

My test program

dcraw_half in Libraw/bin

Command and argument

./dcraw_half crash_dcraw_half

Crash Information

The output of exampletest with address sanitizer enabled

==611348==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000013300 at pc 0x7fc7701d804d bp 0x7ffc1d184d60 sp 0x7ffc1d184508
WRITE of size 2224 at 0x62d000013300 thread T0
    #0 0x7fc7701d804c in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:773
    #1 0x7fc770001f0e in LibRaw::raw2image_ex(int) src/preprocessing/raw2image.cpp:492
    #2 0x7fc76ffd2bd3 in LibRaw::dcraw_process() src/postprocessing/dcraw_process.cpp:43
    #3 0x56227007b71b in main samples/dcraw_half.c:66
    #4 0x7fc76f814082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x56227007be0d in _start (/root/target/latest/LibRaw-0.21.1/build_afl_asan/bin/dcraw_half+0x2e0d)

0x62d000013300 is located 0 bytes to the right of 36608-byte region [0x62d00000a400,0x62d000013300)
allocated by thread T0 here:
    #0 0x7fc770244a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x7fc77004cca5 in libraw_memmgr::calloc(unsigned long, unsigned long) libraw/libraw_alloc.h:56
    #2 0x7fc77004cca5 in LibRaw::calloc(unsigned long, unsigned long) src/utils/utils_libraw.cpp:271

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:773 in __interceptor_memmove
Shadow bytes around the buggy address:
  0x0c5a7fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fffa660:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==611348==ABORTING

Version

LibRaw 0.21.1 release
the commit is cccb976

POC File

crash_dcraw_half.zip

@LibRaw
Copy link
Owner

LibRaw commented Jan 14, 2023

LibRaw::open_file() refuses your sample as 'unsupported or not raw file'.

Please make sure you're submitted the correct POC file.

@LibRaw LibRaw added the waitforfeedback wait for reporter's feedback (10 days max) label Jan 14, 2023
@DaisyPo
Copy link
Author

DaisyPo commented Jan 14, 2023

I've tried again and didn't see 'unsupported or not raw file'. crash_dcraw_half.zip needs to be extracted. I also used the zip file to run the command just now, this will be "libraw Unsupported file format or not RAW file".

@LibRaw
Copy link
Owner

LibRaw commented Jan 14, 2023

Sure, I know what zip files are.

The MD5 checksum for the file you provided is: c39ba6fb6d5ee34e2b0833af6acbebc6

It is refused by LibRaw 0.21.1

@DaisyPo
Copy link
Author

DaisyPo commented Jan 14, 2023

image
The direct result is in the picture above. It's "malloc(): corrupted top size".Does this mean LibRaw 0.21.1 refused the file?

@LibRaw
Copy link
Owner

LibRaw commented Jan 14, 2023

Thank you for your screenshot.
Anyway, I'm unable to reproduce the problem using the POC file you provided.

@DaisyPo
Copy link
Author

DaisyPo commented Jan 14, 2023

My friend helped me compile LibRaw 0.21.1 in another server(also Linux os),and I use GDB to analyse the same POC file. It turns out segmentation fault. A little different from the original result (SIGABRT), but still the same position raw2image.cpp:492.
image

At present, I have no idea why you can't reproduce it. I really feel confused.

@LibRaw
Copy link
Owner

LibRaw commented Jan 14, 2023

Sorry, no linux here, but the file is not refused by open_file() on FreeBSD and not crashed.

Investigating....

@DaisyPo
Copy link
Author

DaisyPo commented Jan 14, 2023

Sorry,I always test in Linux OS and forgot to tell you at the beginning. Maybe the bug only exists in Linux? I'm not sure.

@LibRaw
Copy link
Owner

LibRaw commented Jan 14, 2023

This patch should fix the problem

@DaisyPo
Copy link
Author

DaisyPo commented Jan 15, 2023

The patch is 9ab70f6 , right? I've used the patch and it works well.

@LibRaw
Copy link
Owner

LibRaw commented Jan 15, 2023

Oh, sorry, forgot to provide patch link. Yes, it is 9ab70f6

Closing as confirmed fixed.

@LibRaw LibRaw closed this as completed Jan 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
waitforfeedback wait for reporter's feedback (10 days max)
Projects
None yet
Development

No branches or pull requests

2 participants