Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack buffer overflow in read_next_pam_token #13

Closed
bestshow opened this issue Apr 8, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@bestshow
Copy link

commented Apr 8, 2017

on ImageWorsener 1.3.0

#imagew $FILE out.png

stack-buffer-overflow on address 0x7ffd02d980a4 at pc 0x00000046559c bp 0x7ffd02d97f60 sp 0x7ffd02d97f58
READ of size 1 at 0x7ffd02d980a4 thread T0
#0 0x46559b in read_next_pam_token src/imagew-pnm.c:282
#1 0x465a7c in iwpnm_read_pam_header src/imagew-pnm.c:361
#2 0x4660aa in iwpnm_read_header src/imagew-pnm.c:423
#3 0x46621e in iw_read_pnm_file src/imagew-pnm.c:446
#4 0x46639f in iw_read_pam_file src/imagew-pnm.c:464
#5 0x43b2a6 in iw_read_file_by_fmt src/imagew-allfmts.c:79
#6 0x408025 in iwcmd_run src/imagew-cmd.c:1191
#7 0x413bfb in iwcmd_main src/imagew-cmd.c:3018
#8 0x413cde in main src/imagew-cmd.c:3067
#9 0x7fb808f72b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#10 0x403478 (/home/haojun/Downloads/testopensourcecode/imageworsener20170408/imageworsener-master/imagew+0x403478)

Address 0x7ffd02d980a4 is located in stack of thread T0 at offset 196 in frame
#0 0x4658a5 in iwpnm_read_pam_header src/imagew-pnm.c:332

This frame has 4 object(s):
[32, 36) 'curpos'
[96, 196) 'linebuf' <== Memory access at offset 196 overflows this variable
[256, 356) 'tokenbuf'
[416, 516) 'token2buf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
stack-buffer-overflow src/imagew-pnm.c:282 in read_next_pam_token
Shadow bytes around the buggy address:
0x1000205aafc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205aafd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205aafe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205aaff0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000205ab000: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x1000205ab010: 00 00 00 00[04]f4 f4 f4 f2 f2 f2 f2 00 00 00 00
0x1000205ab020: 00 00 00 00 00 00 00 00 04 f4 f4 f4 f2 f2 f2 f2
0x1000205ab030: 00 00 00 00 00 00 00 00 00 00 00 00 04 f4 f4 f4
0x1000205ab040: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205ab050: f1 f1 f1 f1 03 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
0x1000205ab060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==96257==ABORTING

testcase:
https://github.com/bestshow/p0cs/blob/master/1071-stack-buffer-overflow-imagew-pnm

Author: ADLab of Venustech

jsummers added a commit that referenced this issue Apr 12, 2017

@jsummers

This comment has been minimized.

Copy link
Owner

commented Apr 12, 2017

Should be fixed by commit bb321cf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.