A potential heap overflow issue #302
Comments
|
I no found your bug. |
|
CFLAGS="-O0 -g -fsanitize=address,undefined" ./configure --disable-shared id:000001,sig:06,src:000255+001320,op:splice,rep:4.zip I think the input cracked when I upload to Github. |
|
According to https://bugzilla.redhat.com/show_bug.cgi?id=2043393 this is CVE-2021-4214 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I find a potential heap overflow issue in contrib/libtests/pngimage.c, function compare_read.
The code version is commit 301f7a1
The compile command is
CFLAGS="-O0 -g -fsanitize=address,leak,undefined" ./configure --disable-sharedThe reproduce command
./pngimage inputTrace reported by ASAN:
`==18068==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000cc00 at pc 0x000000416f54 bp 0x7fffffffd0d0 sp 0x7fffffffd0c0
#0 0x416f53 in compare_read contrib/libtests/pngimage.c:1240
#1 0x4249e6 in test_one_file contrib/libtests/pngimage.c:1484
#2 0x4249e6 in do_test contrib/libtests/pngimage.c:1564
#3 0x405da3 in main contrib/libtests/pngimage.c:1668
#4 0x7ffff589082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x407f48 in _start (/mnt/data/playground/libpng-libpng16-a/pngimage+0x407f48)
0x60200000cc00 is located 0 bytes to the right of 16-byte region [0x60200000cbf0,0x60200000cc00)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x50f877 in png_malloc_base /mnt/data/playground/libpng-libpng16-a/pngmem.c:95
#2 0x50f877 in png_malloc /mnt/data/playground/libpng-libpng16-a/pngmem.c:179
SUMMARY: AddressSanitizer: heap-buffer-overflow contrib/libtests/pngimage.c:1240 compare_read
Shadow bytes around the buggy address:
0x0c047fff9930: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9940: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9950: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9960: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9970: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff9980:[fa]fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9990: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff99a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff99b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff99c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff99d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18068==ABORTING
`
The reason for this overflow is that the buffer of orig and row might not have bpp length of data so that the index is out of bound in the later loop.
According to the gdb results, bpp is 2 and the length of the buffer is only 1.
The attachment is the input file.
input.zip
The text was updated successfully, but these errors were encountered: