Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-buffer-overflow #36

Open
gy741 opened this issue Feb 3, 2018 · 2 comments
Open

stack-buffer-overflow #36

gy741 opened this issue Feb 3, 2018 · 2 comments

Comments

@gy741
Copy link

gy741 commented Feb 3, 2018

Hello.

I found a stack-buffer-overflow bug in cmft.

Please confirm.

Thanks.

OS: CentOS 7 64bit
Version: commit 4fe3a34
PoC Download: poc.zip

Steps to reproduce:
1.Download the .POC files.
2.Execute the following command
: ./cmft --input $FILE --output0 /dev/null

==2406== Invalid read of size 4
==2406==    at 0x5DDA881: fseeko (fseeko.c:35)
==2406==    by 0x10B41B: cmft::rwSeekFile(cmft::Rw*, long, cmft::Whence::Enum) (image.cpp:198)
==2406==    by 0x116A2D: cmft::imageLoadKtx(cmft::Image&, cmft::Rw*, cmft::AllocatorI*) (image.cpp:4606)
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==  Address 0xffffffffffffffff is not stack'd, malloc'd or (recently) free'd
==2406== 
==2406== 
==2406== Process terminating with default action of signal 11 (SIGSEGV)
==2406==  Access not within mapped region at address 0xFFFFFFFFFFFFFFFF
==2406==    at 0x5DDA881: fseeko (fseeko.c:35)
==2406==    by 0x10B41B: cmft::rwSeekFile(cmft::Rw*, long, cmft::Whence::Enum) (image.cpp:198)
==2406==    by 0x116A2D: cmft::imageLoadKtx(cmft::Image&, cmft::Rw*, cmft::AllocatorI*) (image.cpp:4606)
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
==2406==    by 0xFFFFFFFFFFFFFFFE: ???
@dariomanesku
Copy link
Owner

Yeah, the problem is in KTX parsing, I'm not sure exactly where.

@gy741
Copy link
Author

gy741 commented Feb 5, 2018

Hello,

I think there is a problem in the source code below.

"read = readFn (_rw, & faceData, faceSize);" 
const size_t size = fread(_data, 1, _size, _src->m_file);

Thanks.

image.cpp:4580

       for (uint8_t face = 0; face < ktxHeader.m_numFaces; ++face)
            {
                uint8_t* faceData = (uint8_t*)data + offsets[mip][face];

                if (0 == pitchRounding)
                {
                    // Read entire face at once.
                    read = readFn(_rw, &faceData, faceSize);  <---------------------------Crash.
                    DEBUG_CHECK(read == faceSize, "Error reading Ktx face data.");
}

#0  0x0000000000402ee7 in cmft::rwReadFile (_src=0x7ffffffe5240, _data=0x7ffffffe4f70, _size=0xc648)
    at ../../src/cmft/image.cpp:238
        size = 0x4
#1  0x000000000040e2e7 in cmft::imageLoadKtx (_image=..., _rw=0x7ffffffe5240, _allocator=0x64d3a0 <cmft::g_crtAllocator>)
    at ../../src/cmft/image.cpp:4587
        faceData = 0x6b3e60 ""
        face = 0x0
        faceSize = 0xc648
        mipSize = 0xc648
        width = 0xb4
        height = 0x5e
        pitch = 0x21c
        pitchRounding = 0x0
        faceRounding = 0x0
        mipRounding = 0x0
        mip = 0x0
        read = 0x4
        didOpen = 0x0
        scopeClose = {
          m_rw = 0x7ffffffe5240, 
          m_condition = 0x0
        }
        seekFn = 0x402dd6 <cmft::rwSeekFile(cmft::Rw*, long, cmft::Whence::Enum)>
        readFn = 0x402ebb <cmft::rwReadFile(cmft::Rw*, void*, unsigned long)>
        ktxHeader = {
          m_endianness = 0x4030201, 
          m_glType = 0x1401, 
          m_glTypeSize = 0x1, 
          m_glFormat = 0x1907, 
          m_glInternalFormat = 0x1907, 
          m_glBaseInternalFormat = 0x1907, 
          m_pixelWidth = 0xb4, 
          m_pixelHeight = 0x5e, 
          m_pixelDepth = 0x0, 
          m_numArrayElements = 0x0, 
          m_numFaces = 0x1, 
          m_numMips = 0x1, 
          m_bytesKeyValue = 0x1c
        }
        magic = "\253KTX 11\273\r\n\032\n"
        ktxMagic = "\253KTX 11\273\r\n\032\n"
        format = cmft::TextureFormat::RGB8
        bytesPerPixel = 0x3
        offsets = {{0x0, 0x0, 0x0, 0x0, 0xffffffff, 0x100ffff}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x7074756f, 0x35317475, 0x0, 
            0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0, 0x40404040, 0x40404040}, {0x40404040, 
            0x40404040, 0x0, 0x0, 0x0, 0x0}, {0x5a5a5a5a, 0x5a5a5a5a, 0x5a5a5a5a, 0x5a5a5a5a, 0x0, 0x0}, {0x0, 0x0, 0x20202020, 
            0x20202020, 0x20202020, 0x20202020}, {0x0, 0x0, 0x0, 0x0, 0xffffffff, 0xffff}, {0xffffff00, 0xffffff00, 0x0, 0x0, 
            0x0, 0x0}, {0x6b2c20, 0x0, 0x1, 0x0, 0x6b2c20, 0x0}, {0xf6bbd5e8, 0x7fff, 0x6b2c20, 0x0, 0x6b2c20, 0x0}, {0x0, 0x0, 
            0xf6bbbfd3, 0x7fff, 0x6b2c20, 0x0}, {0x6b2e50, 0x0, 0x0, 0x0, 0x6b2d00, 0x0}, {0x6b2c20, 0x0, 0x6b2d00, 0x0, 
            0x6b2c20, 0x0}, {0xfffe5190, 0x7fff, 0xfffe53c0, 0x7fff, 0xffffdc70, 0x7fff}}
        dataSize = 0xc648
        data = 0x6b3e60
        result = {
          m_width = 0x6b3e60, 
          m_height = 0x0, 
          m_dataSize = 0x0, 
          m_format = cmft::TextureFormat::BGR8, 
          m_numMips = 0x90, 
          m_numFaces = 0x51, 
          m_data = 0x7ffff7de6ac6 <_dl_fixup+214>
        }
#2  0x000000000040f48c in cmft::imageLoad (_image=..., _rw=0x7ffffffe5240, _convertTo=cmft::TextureFormat::RGBA32F, 
    _allocator=0x64d3a0 <cmft::g_crtAllocator>) at ../../src/cmft/image.cpp:5030
        didOpen = 0x1
        scopeClose = {
          m_rw = 0x7ffffffe5240, 
          m_condition = 0x1
        }
        seekFn = 0x402dd6 <cmft::rwSeekFile(cmft::Rw*, long, cmft::Whence::Enum)>
        readFn = 0x402ebb <cmft::rwReadFile(cmft::Rw*, void*, unsigned long)>
        magic = 0x58544bab
        loaded = 0x0
#3  0x000000000040f570 in cmft::imageLoad (_image=..., _filePath=0x7ffffffe5620 "poc.ktx", 
    _convertTo=cmft::TextureFormat::RGBA32F, _allocator=0x64d3a0 <cmft::g_crtAllocator>) at ../../src/cmft/image.cpp:5057
        rw = {
          m_error = 0x0, 
          m_type = 0x1, 
          {
            {
              m_path = 0x7ffffffe5620 "poc.ktx", 
              m_file = 0x6b2c20
            }, 
            {
              m_mem = 0x7ffffffe5620, 
              m_size = 0x6b2c20, 
              m_offset = 0x0
            }
          }
        }
#4  0x0000000000438c2f in cmftMain (_argc=0x5, _argv=0x7fffffffdc78) at ../../src/cmft_cli/cmft_cli.h:895
        cmdLine = {
          m_argc = 0x5, 
          m_argv = 0x7fffffffdc78
        }
        inputParameters = <error reading variable inputParameters (value of type `InputParameters' requires 99628 bytes, which is more than max-value-size)>
        image = {
          m_width = 0x0, 
          m_height = 0x0, 
          m_dataSize = 0x0, 
          m_format = cmft::TextureFormat::Null, 
          m_numMips = 0x0, 
          m_numFaces = 0x0, 
          m_data = 0x0
        }
        imageFaceList = {{
            m_width = 0x0, 
            m_height = 0x0, 
            m_dataSize = 0x0, 
            m_format = cmft::TextureFormat::Null, 
            m_numMips = 0x0, 
            m_numFaces = 0x0, 
            m_data = 0x0
          }, {
            m_width = 0x0, 
            m_height = 0x0, 
            m_dataSize = 0x0, 
            m_format = cmft::TextureFormat::Null, 
            m_numMips = 0x0, 
            m_numFaces = 0x0, 
            m_data = 0x0
          }, {
            m_width = 0x0, 
            m_height = 0x0, 
            m_dataSize = 0x0, 
            m_format = cmft::TextureFormat::Null, 
            m_numMips = 0x0, 
            m_numFaces = 0x0, 
            m_data = 0x0
          }, {
            m_width = 0x0, 
            m_height = 0x0, 
            m_dataSize = 0x0, 
            m_format = cmft::TextureFormat::Null, 
            m_numMips = 0x0, 
            m_numFaces = 0x0, 
            m_data = 0x0
          }, {
            m_width = 0x0, 
            m_height = 0x0, 
            m_dataSize = 0x0, 
            m_format = cmft::TextureFormat::Null, 
            m_numMips = 0x0, 
            m_numFaces = 0x0, 
            m_data = 0x0
          }, {
            m_width = 0x0, 
            m_height = 0x0, 
            m_dataSize = 0x0, 
            m_format = cmft::TextureFormat::Null, 
            m_numMips = 0x0, 
            m_numFaces = 0x0, 
            m_data = 0x0
          }}
        imageLoaded = 0x0
#5  0x00000000004396d4 in main (_argc=0x5, _argv=0x7fffffffdc78) at ../../src/main.cpp:22
No locals.
#6  0x00007ffff6b63830 in __libc_start_main (main=0x4396b4 <main(int, char const* const*)>, argc=0x5, argv=0x7fffffffdc78, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdc68) at ../csu/libc-start.c:291
        result = <optimized out>
        unwind_buf = {
          cancel_jmp_buf = {{
              jmp_buf = {0x0, 0x5fbf91a5e9fabc06, 0x401f90, 0x7fffffffdc70, 0x0, 0x0, 0xa0406edd67dabc06, 0xa0407c4ebf4abc06}, 
              mask_was_saved = 0x0
            }}, 
          priv = {
            pad = {0x0, 0x0, 0x5, 0x4396b4 <main(int, char const* const*)>}, 
            data = {
              prev = 0x0, 
              cleanup = 0x0, 
              canceltype = 0x5
            }
          }
        }
        not_first_call = <optimized out>
#7  0x0000000000401fb9 in _start ()
No symbol table info available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dariomanesku @gy741