==78746==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000011618 at pc 0x556e3ec8f64c bp 0x7ffca25f9440 sp 0x7ffca25f9430
WRITE of size 2 at 0x631000011618 thread T0
#0 0x556e3ec8f64b in ok_jpg_decode_block_progressive /root/study/ok-file-formats/afl-test/ok_jpg.c:1054#1 0x556e3ec90c16 in ok_jpg_decode_scan /root/study/ok-file-formats/afl-test/ok_jpg.c:1217#2 0x556e3ec95c60 in ok_jpg_read_sos /root/study/ok-file-formats/afl-test/ok_jpg.c:1734#3 0x556e3ec96d3c in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1900#4 0x556e3ec97605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990#5 0x556e3ec868a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268#6 0x556e3ec8671b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257#7 0x556e3ec85d5e in main /root/study/ok-file-formats/afl-test/main.c:8#8 0x7ff14d6d7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)#9 0x556e3ec85b29 in _start (/root/study/ok-file-formats/afl-test/Asanjpg/Asanjpg+0x2b29)
0x631000011618 is located 9 bytes to the right of 69135-byte region [0x631000000800,0x63100001160f)
allocated by thread T0 here:
#0 0x7ff14db85b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)#1 0x556e3ec85f00 in ok_stdlib_alloc /root/study/ok-file-formats/afl-test/ok_jpg.c:55#2 0x556e3ec94b20 in ok_jpg_read_sof /root/study/ok-file-formats/afl-test/ok_jpg.c:1595#3 0x556e3ec96ac2 in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1884#4 0x556e3ec97605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990#5 0x556e3ec868a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268#6 0x556e3ec8671b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257#7 0x556e3ec85d5e in main /root/study/ok-file-formats/afl-test/main.c:8#8 0x7ff14d6d7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/study/ok-file-formats/afl-test/ok_jpg.c:1054 in ok_jpg_decode_block_progressive
Shadow bytes around the buggy address:
0x0c627fffa270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa2c0: 00 07 fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==78746==ABORTING
Describe
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_jpg_decode_block_progressive() at ok_jpg.c:1054
Reproduce
test program
Tested in Ubuntu 18.04, 64bit.
Compile test program with address sanitizer with this command:
You can get program here.
ASan Reports
Get ASan reports
==78746==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000011618 at pc 0x556e3ec8f64c bp 0x7ffca25f9440 sp 0x7ffca25f9430 WRITE of size 2 at 0x631000011618 thread T0 #0 0x556e3ec8f64b in ok_jpg_decode_block_progressive /root/study/ok-file-formats/afl-test/ok_jpg.c:1054 #1 0x556e3ec90c16 in ok_jpg_decode_scan /root/study/ok-file-formats/afl-test/ok_jpg.c:1217 #2 0x556e3ec95c60 in ok_jpg_read_sos /root/study/ok-file-formats/afl-test/ok_jpg.c:1734 #3 0x556e3ec96d3c in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1900 #4 0x556e3ec97605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990 #5 0x556e3ec868a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268 #6 0x556e3ec8671b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257 #7 0x556e3ec85d5e in main /root/study/ok-file-formats/afl-test/main.c:8 #8 0x7ff14d6d7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x556e3ec85b29 in _start (/root/study/ok-file-formats/afl-test/Asanjpg/Asanjpg+0x2b29) 0x631000011618 is located 9 bytes to the right of 69135-byte region [0x631000000800,0x63100001160f) allocated by thread T0 here: #0 0x7ff14db85b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x556e3ec85f00 in ok_stdlib_alloc /root/study/ok-file-formats/afl-test/ok_jpg.c:55 #2 0x556e3ec94b20 in ok_jpg_read_sof /root/study/ok-file-formats/afl-test/ok_jpg.c:1595 #3 0x556e3ec96ac2 in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1884 #4 0x556e3ec97605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990 #5 0x556e3ec868a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268 #6 0x556e3ec8671b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257 #7 0x556e3ec85d5e in main /root/study/ok-file-formats/afl-test/main.c:8 #8 0x7ff14d6d7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/study/ok-file-formats/afl-test/ok_jpg.c:1054 in ok_jpg_decode_block_progressive Shadow bytes around the buggy address: 0x0c627fffa270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c627fffa2c0: 00 07 fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==78746==ABORTINGPoc
Poc file is here.
Fuzzer & Testcase
Fuzzer is AFL.
Testcase is your testcase in dir ok-file-formats/test/jpg.
The text was updated successfully, but these errors were encountered: