New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASan: heap-buffer-overflow src/libcaca/caca/dither.c:1347 in get_rgba_default #42

Closed
fgeek opened this Issue Dec 31, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@fgeek
Copy link

fgeek commented Dec 31, 2018

Tested commit: b38bcd6
Tools: american fuzzy lop 2.52b, afl-utils
libcaca-2018-12-31.zip
Credit: Henri Salo
Build with BMP loading. No other crashes found. I'll fuzz with Imlib2 next.
Looks same as #38.

$ /bin/img2txt libcaca-2018-12-31
=================================================================
==28225==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd1 at pc 0x7f94cd7d636c bp 0x7fffa62b8080 sp 0x7fffa62b8078
READ of size 1 at 0x60200000efd1 thread T0
    #0 0x7f94cd7d636b in get_rgba_default /home/hsalo/src/libcaca/caca/dither.c:1347
    #1 0x7f94cd7d636b in caca_dither_bitmap /home/hsalo/src/libcaca/caca/dither.c:1009
    #2 0x555abf324ea7 in main /home/hsalo/src/libcaca/src/img2txt.c:210
    #3 0x7f94cd40e2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #4 0x555abf325859 in _start (/home/hsalo/builds/libcaca/b38bcd63f069c8d7fbcdf10a3acd5b6c82cac3c8/bin/img2txt+0x3859)

0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
    #0 0x7f94cdb7ced0 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1ed0)
    #1 0x555abf326d5d in load_image /home/hsalo/src/libcaca/src/common-image.c:170
    #2 0xffff4c57051  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/libcaca/caca/dither.c:1347 in get_rgba_default
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 00 07
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28225==ABORTING

ps. happy new year! :)

@samhocevar samhocevar closed this in 813baea Jan 1, 2019

@samhocevar

This comment has been minimized.

Copy link
Contributor

samhocevar commented Jan 1, 2019

Thanks! The bug symptoms are similar to #38 (allocated buffer is too small compared to what libcaca expects) but it was a different bug.

Happy new year 🎆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment