ASAN output (lepton -unjailed $POC /tmp/test.jpg):
lepton v1.0-1.2.1-171-g3f6d98c
START ACHIEVED 1531794392 500706
=================================================================
==53029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700001bc18 at pc 0x78633b bp 0x7ffdeb1d2a30 sp 0x7ffdeb1d2a28
WRITE of size 1 at 0x62700001bc18 thread T0
#0 0x78633a in inflate dependencies/zlib/inflate.c:1170
#1 0x4d5a88 in Sirikata::ZlibDecoderDecompressionReader::Decompress(unsigned char const*, unsigned long, Sirikata::JpegAllocator<unsigned char> const&, unsigned long) src/io/ZlibCompression.cc:100
#2 0x4542af in read_ujpg() src/lepton/jpgcoder.cc:4146
#3 0x476b3b in std::_Function_handler<bool (), bool (*)()>::_M_invoke(std::_Any_data const&) (/home/hongxu/FOT/lepton/lepton+0x476b3b)
#4 0x471289 in std::function<bool ()>::operator()() const /usr/include/c++/4.9/functional:2440
#5 0x4431f7 in execute(std::function<bool ()> const&) src/lepton/jpgcoder.cc:2046
#6 0x4413d5 in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1860
#7 0x438a59 in app_main(int, char**) src/lepton/jpgcoder.cc:939
#8 0x48994c in main src/lepton/main.cc:17
#9 0x7ff50f17af44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#10 0x404008 (/home/hongxu/FOT/lepton/lepton+0x404008)
0x62700001bc18 is located 0 bytes to the right of 13080-byte region [0x627000018900,0x62700001bc18)
allocated by thread T0 here:
#0 0x7ff510ad0dfb in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54dfb)
#1 0x4e845c in custom_malloc src/vp8/util/memory.cc:68
#2 0x4158a8 in Sirikata::JpegAllocator<unsigned char>::malloc_wrapper(void*, unsigned long, unsigned long) src/io/Allocator.hh:50
#3 0x406909 in Sirikata::JpegAllocator<unsigned char>::allocate(unsigned long, void const*) src/vp8/encoder/../../io/Allocator.hh:132
#4 0x40639f in std::allocator_traits<Sirikata::JpegAllocator<unsigned char> >::allocate(Sirikata::JpegAllocator<unsigned char>&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:357
#5 0x4055db in std::_Vector_base<unsigned char, Sirikata::JpegAllocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#6 0x485cf3 in std::vector<unsigned char, Sirikata::JpegAllocator<unsigned char> >::_M_default_append(unsigned long) /usr/include/c++/4.9/bits/vector.tcc:557
#7 0x4854fa in std::vector<unsigned char, Sirikata::JpegAllocator<unsigned char> >::resize(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:676
#8 0x4d59a0 in Sirikata::ZlibDecoderDecompressionReader::Decompress(unsigned char const*, unsigned long, Sirikata::JpegAllocator<unsigned char> const&, unsigned long) src/io/ZlibCompression.cc:87
#9 0x4542af in read_ujpg() src/lepton/jpgcoder.cc:4146
#10 0x476b3b in std::_Function_handler<bool (), bool (*)()>::_M_invoke(std::_Any_data const&) (/home/hongxu/FOT/lepton/lepton+0x476b3b)
#11 0x471289 in std::function<bool ()>::operator()() const /usr/include/c++/4.9/functional:2440
#12 0x4431f7 in execute(std::function<bool ()> const&) src/lepton/jpgcoder.cc:2046
#13 0x4413d5 in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1860
#14 0x438a59 in app_main(int, char**) src/lepton/jpgcoder.cc:939
#15 0x48994c in main src/lepton/main.cc:17
#16 0x7ff50f17af44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow dependencies/zlib/inflate.c:1170 inflate
Shadow bytes around the buggy address:
0x0c4e7fffb730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4e7fffb780: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==53029==ABORTING
When running without -unjailed, it crashes with invalid system call message.
The text was updated successfully, but these errors were encountered:
POCs:
https://github.com/ntu-sec/pocs/blob/master/lepton-3f6d98c/crashes/hbo_inflate.c:1170_1.lep?raw=true
https://github.com/ntu-sec/pocs/blob/master/lepton-3f6d98c/crashes/hbo_inflate.c:1170_2.lep?raw=true
ASAN output (
lepton -unjailed $POC /tmp/test.jpg):When running without
-unjailed, it crashes withinvalid system callmessage.The text was updated successfully, but these errors were encountered: