Closed
Description
Test code :
#include <stdio.h>
#include <stdlib.h>
#include "ok_jpg.h"
int main(int argc, char **argv) {
if(argc<2) return 0;
FILE *file = fopen(argv[1], "rb");
ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA | OK_JPG_FLIP_Y);
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}
Tools: honggfuzz 2.4
Target version: master-20210910
Result:
$ ./Testjpg bugs/0.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:532 in ok_jpg_convert_data_unit_grayscale
$ ./Testjpg bugs/1.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:532 in ok_jpg_convert_data_unit_grayscale
$ ./Testjpg bugs/2.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/3.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/4.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/5.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/6.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
Here are the poc
Metadata
Assignees
Labels
No labels