$ ./asanpng heap-buffer-overflow-3.png
==8813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002680 at pc 0x0000004e48dc bp 0x7ffe51b2f890 sp 0x7ffe51b2f888
WRITE of size 4 at 0x621000002680 thread T0
#0 0x4e48db in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:712:13
#1 0x4e48db in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
#2 0x4e48db in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4e48db in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
0x621000002680 is located 384 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
#0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
#1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
#2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:712:13 in ok_png_transform_scanline
Shadow bytes around the buggy address:
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff84d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==8813==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:712:13.
Thanks for the issue, @NISL-SecurityGroup. The problem was the generated PNG had multiple IHDR chunks with different sizes. PNGs with multiple IHDR chunks are disallowed now.
Version
203defd
Environment
Ubuntu 18.04,64 bit
Testcase
Command
Compile test program:
Compile test program with address sanitizer with this command:
Result
The result of running without ASAN:
Information obtained by using ASAN:
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:712:13.
Poc
Poc file is this.
The text was updated successfully, but these errors were encountered: