Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A stack-buffer-overflow bug was discovered. #52

Closed
Asteriska8 opened this issue Sep 18, 2022 · 1 comment
Closed

A stack-buffer-overflow bug was discovered. #52

Asteriska8 opened this issue Sep 18, 2022 · 1 comment

Comments

@Asteriska8
Copy link

Description

A stack-buffer-overflow bug was discovered in function do_prism_read_palette modules/atari-img.c:331

Version

Version v1.6.2 (Lastest commit)

Environment

Ubuntu 18.04, 64bit

Reproduce

Command

git clone the Lastest Version firstly.
make && make install
./deark -l -zip ./poc

POC file at the bottom of this report.

ASAN Report

Module: prismpaint
=================================================================
==20784==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6490a820 at pc 0x55eae0de20ff bp 0x7ffc6490a390 sp 0x7ffc6490a380
READ of size 4 at 0x7ffc6490a820 thread T0
    #0 0x55eae0de20fe in do_prism_read_palette modules/atari-img.c:331
    #1 0x55eae0de247e in de_run_prismpaint modules/atari-img.c:361
    #2 0x55eae0fd7023 in de_run_module src/deark-util.c:878
    #3 0x55eae0fd7023 in de_run_module src/deark-util.c:843
    #4 0x55eae1036a35 in de_run src/deark-user.c:452
    #5 0x55eae0dc39e9 in main2 src/deark-cmd.c:988
    #6 0x55eae0dc39e9 in main src/deark-cmd.c:1022
    #7 0x7fd587ac4082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55eae0dc652d in _start (/AFLplusplus/my_test/deark/backup/asan/deark-master/deark+0xf652d)

Address 0x7ffc6490a820 is located in stack of thread T0 at offset 1056 in frame
    #0 0x55eae0de1c7f in do_prism_read_palette modules/atari-img.c:304

  This frame has 2 object(s):
    [32, 1056) 'pal1' (line 308) <== Memory access at offset 1056 overflows this variable
    [1184, 1216) 'tmps' (line 310)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow modules/atari-img.c:331 in do_prism_read_palette
Shadow bytes around the buggy address:
  0x10000c9194b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000c919500: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10000c919510: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00
  0x10000c919520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c919530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c919540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c919550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

POC

id_000027,sig_11,src_013544+002505,time_31840218,execs_68965869,op_splice,rep_16.zip

Any issue plz contact with me:
asteriska001@gmail.com
OR:
twitter: @Asteriska8

jsummers added a commit that referenced this issue Sep 20, 2022
@jsummers
Copy link
Owner

Thanks. It should be fixed now (commit b297d9a).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants