Skip to content
This repository has been archived by the owner on Feb 14, 2023. It is now read-only.

[Bug]A heap-buffer-overflow was discovered in function aligned_dealloc():src/lepton/bitops.cc:108 #154

Closed
Asteriska8 opened this issue Feb 21, 2022 · 0 comments · Fixed by #155

Comments

@Asteriska8
Copy link

Description

A heap-buffer-overflow was discovered in function aligned_dealloc():src/lepton/bitops.cc:108 The issue is being triggered in function reset_buffers() src/lepton/jpgcoder.cc:4373

Version

lepton v1.0-1.2.1-185-g2a08b77 (Lastest Commit) url: https://github.com/dropbox/lepton

Reproduce

Using CMAKE

mkdir -p build
cd build
export CC="gcc"
export CXX="g++"
export CFLAGS="-g -fsanitize=address"
export CXXFLAGS="-g -fsanitize=address"
cmake ..
make -j8
./lepton -unjailed ./poc b.jpg
Case 1
./lepton -unjailed ./poc b.jpg output: attached file : image1.png

Case 2
./lepton -permissive -unjailed ./poc b.jpg output: attached file : 2.png

Case 3
./lepton ./poc b.jpg output: attached file : 3.png

POC

poc file attached.

ASAN Report

lepton v1.0-1.2.1-185-g2a08b77
x: Unknown Item in header instead of ZSTART ACHIEVED 1644425153 702974
TIMING (new method): 0.005493 to first byte 0.005523 total
Read took: 0.000231
=================================================================
==3721==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffff35fe7ff at pc 0x555555584cad bp 0x7fffffffd420 sp 0x7fffffffd410
READ of size 1 at 0x7ffff35fe7ff thread T0
#0 0x555555584cac in aligned_dealloc(unsigned char*) src/lepton/bitops.cc:108
#1 0x5555555d6300 in reset_buffers() src/lepton/jpgcoder.cc:4373
#2 0x5555555bae45 in prep_for_new_file() src/lepton/jpgcoder.cc:1514
#3 0x5555555bea59 in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1890
#4 0x5555555b6555 in app_main(int, char**) src/lepton/jpgcoder.cc:941
#5 0x55555560b796 in main src/lepton/main.cc:17
#6 0x7ffff70750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#7 0x55555558045d in _start (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0x2c45d)

0x7ffff35fe7ff is located 1 bytes to the left of 4195328-byte region [0x7ffff35fe800,0x7ffff39fec00)
allocated by thread T0 here:
#0 0x7ffff769c93c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x555555670075 in custom_malloc src/vp8/util/memory.cc:68
#2 0x555555670257 in custom_calloc src/vp8/util/memory.cc:147
#3 0x555555584b4f in abitwriter::abitwriter(int, int) src/lepton/bitops.cc:86
#4 0x5555555caa75 in recode_jpeg() src/lepton/jpgcoder.cc:3326
#5 0x5555555fb808 in bool std::__invoke_impl(std::__invoke_other, bool (*&)()) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0xa7808)
#6 0x5555555f5e3b in std::enable_if >, std::is_convertible::type, bool> >::value, bool>::type std::__invoke_r(bool (*&)()) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0xa1e3b)
#7 0x5555555efa22 in std::_Function_handler::_M_invoke(std::_Any_data const&) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0x9ba22)
#8 0x5555555ea209 in std::function::operator()() const /usr/include/c++/10/bits/std_function.h:622
#9 0x5555555c02c5 in execute(std::function const&) src/lepton/jpgcoder.cc:2048
#10 0x5555555be59f in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1871
#11 0x5555555b6555 in app_main(int, char**) src/lepton/jpgcoder.cc:941
#12 0x55555560b796 in main src/lepton/main.cc:17
#13 0x7ffff70750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/lepton/bitops.cc:108 in aligned_dealloc(unsigned char*)
Shadow bytes around the buggy address:
0x10007e6b7ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x10007e6b7cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x10007e6b7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3721==ABORTING

Occurrences

bitops.cc L111-L124

References

attached files

Contact me

Any issue or problem plz contact with me.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant