Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in functionok_jpg_convert_YCbCr_to_RGB() at ok_jpg.c:513 #12

Closed
ConcoctionSec opened this issue Mar 26, 2021 · 1 comment

Comments

@ConcoctionSec
Copy link

Version

dev version, git clone https://github.com/brackeen/ok-file-formats.git

Environment

Ubuntu 18.04, 64bit

Testcase

#include <stdio.h>
#include <stdlib.h>
#include "ok_jpg.h"
#include "ok_jpg.c"
 
int main(int _argc, char **_argv) {
    FILE *file = fopen("_argv[1]", "rb");
    ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA);
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

Command

Compile test program:

$ gcc -g -o main main.c ok_jpg.h

Compile test program with address sanitizer with this command:

$ gcc -g -fsanitize=address -fno-omit-frame-pointer -O1 -o Asanjpg main.c ok_jpg.h

Result

The result of running without ASAN:

$ ./main heap-buffer-overflow-2.jpg
double free or corruption (!prev)
Aborted

Information obtained by using ASAN:

$ ./Asanjpg heap-buffer-overflow-2.jpg
=================================================================
==3402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000024c at pc 0x5632c5205ffb bp 0x7ffc939581c0 sp 0x7ffc939581b0
WRITE of size 1 at 0x63000000024c thread T0
    #0 0x5632c5205ffa in ok_jpg_convert_YCbCr_to_RGB /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:513
    #1 0x5632c5205ffa in ok_jpg_convert_data_unit_color /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:545
    #2 0x5632c5205ffa in ok_jpg_convert_data_unit /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:607
    #3 0x5632c5212c3d in ok_jpg_decode_scan /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1276
    #4 0x5632c5212c3d in ok_jpg_read_sos /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1742
    #5 0x5632c5212c3d in ok_jpg_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1930
    #6 0x5632c5212c3d in ok_jpg_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:2004
    #7 0x5632c52142dc in ok_jpg_read_with_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:268
    #8 0x5632c5214412 in ok_jpg_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:257
    #9 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
    #10 0x7f0ab88adbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x5632c5203499 in _start (/home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/Asanjpg+0x1499)

0x63000000024c is located 436 bytes to the left of 60000-byte region [0x630000000400,0x63000000ee60)
allocated by thread T0 here:
    #0 0x7f0ab8d5bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x5632c52037e1 in ok_stdlib_alloc /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:55
    #2 0x5632c520ed69 in ok_jpg_read_sof /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1613
    #3 0x5632c520ed69 in ok_jpg_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1910
    #4 0x5632c520ed69 in ok_jpg_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:2004
    #5 0x5632c52142dc in ok_jpg_read_with_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:268
    #6 0x5632c5214412 in ok_jpg_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:257
    #7 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
    #8 0x7f0ab88adbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:513 in ok_jpg_convert_YCbCr_to_RGB
Shadow bytes around the buggy address:
  0x0c607fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c607fff8040: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c607fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3402==ABORTING

Description

A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_jpg_convert_YCbCr_to_RGB() at ok_jpg.c:513

Poc

Poc file is this.

@brackeen
Copy link
Owner

brackeen commented Apr 5, 2021

The bug report is appreciated, thank you. This now fixed.

@brackeen brackeen closed this as completed Apr 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants