A heap-buffer-overflow was discovered in function aligned_dealloc():src/lepton/bitops.cc:108 The issue is being triggered in function reset_buffers() src/lepton/jpgcoder.cc:4373
Using CMAKE
mkdir -p build
cd build
export CC="gcc"
export CXX="g++"
export CFLAGS="-g -fsanitize=address"
export CXXFLAGS="-g -fsanitize=address"
cmake ..
make -j8
./lepton -unjailed ./poc b.jpg
Case 1
./lepton -unjailed ./poc b.jpg output: attached file : image1.png
Case 2
./lepton -permissive -unjailed ./poc b.jpg output: attached file : 2.png
Case 3
./lepton ./poc b.jpg output: attached file : 3.png
POC
poc file attached.
ASAN Report
lepton v1.0-1.2.1-185-g2a08b77
x: Unknown Item in header instead of ZSTART ACHIEVED 1644425153 702974
TIMING (new method): 0.005493 to first byte 0.005523 total
Read took: 0.000231
=================================================================
==3721==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffff35fe7ff at pc 0x555555584cad bp 0x7fffffffd420 sp 0x7fffffffd410
READ of size 1 at 0x7ffff35fe7ff thread T0
#0 0x555555584cac in aligned_dealloc(unsigned char*) src/lepton/bitops.cc:108
#1 0x5555555d6300 in reset_buffers() src/lepton/jpgcoder.cc:4373
#2 0x5555555bae45 in prep_for_new_file() src/lepton/jpgcoder.cc:1514
#3 0x5555555bea59 in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1890
#4 0x5555555b6555 in app_main(int, char**) src/lepton/jpgcoder.cc:941
#5 0x55555560b796 in main src/lepton/main.cc:17
#6 0x7ffff70750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#7 0x55555558045d in _start (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0x2c45d)
0x7ffff35fe7ff is located 1 bytes to the left of 4195328-byte region [0x7ffff35fe800,0x7ffff39fec00)
allocated by thread T0 here:
#0 0x7ffff769c93c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x555555670075 in custom_malloc src/vp8/util/memory.cc:68
#2 0x555555670257 in custom_calloc src/vp8/util/memory.cc:147
#3 0x555555584b4f in abitwriter::abitwriter(int, int) src/lepton/bitops.cc:86
#4 0x5555555caa75 in recode_jpeg() src/lepton/jpgcoder.cc:3326
#5 0x5555555fb808 in bool std::__invoke_impl(std::__invoke_other, bool (*&)()) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0xa7808)
#6 0x5555555f5e3b in std::enable_if >, std::is_convertible::type, bool> >::value, bool>::type std::__invoke_r(bool (*&)()) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0xa1e3b)
#7 0x5555555efa22 in std::_Function_handler::_M_invoke(std::_Any_data const&) (/AFLplusplus/my_test/projects/lepton/fuzz/tanuki/asan_bin/lepton+0x9ba22)
#8 0x5555555ea209 in std::function::operator()() const /usr/include/c++/10/bits/std_function.h:622
#9 0x5555555c02c5 in execute(std::function const&) src/lepton/jpgcoder.cc:2048
#10 0x5555555be59f in process_file(IOUtil::FileReader*, IOUtil::FileWriter*, int, bool) src/lepton/jpgcoder.cc:1871
#11 0x5555555b6555 in app_main(int, char**) src/lepton/jpgcoder.cc:941
#12 0x55555560b796 in main src/lepton/main.cc:17
#13 0x7ffff70750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/lepton/bitops.cc:108 in aligned_dealloc(unsigned char*)
Shadow bytes around the buggy address:
0x10007e6b7ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007e6b7ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x10007e6b7cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x10007e6b7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e6b7d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3721==ABORTING
Description
A heap-buffer-overflow was discovered in function aligned_dealloc():src/lepton/bitops.cc:108 The issue is being triggered in function reset_buffers() src/lepton/jpgcoder.cc:4373
Version
lepton v1.0-1.2.1-185-g2a08b77 (Lastest Commit) url: https://github.com/dropbox/lepton
Reproduce
POC
poc file attached.
ASAN Report
Occurrences
bitops.cc L111-L124
References
attached files
Contact me
Any issue or problem plz contact with me.
The text was updated successfully, but these errors were encountered: