Skip to content

Out of Bounds Write in v1.0.4 #3

Closed
@Halcy0nic

Description

Hi!

While I was using the tool I had some fuzz tests running in the background and I think there might be an out of bounds write bug in the webp to png converter. I compiled the tool from source using the default instructions/Makefile. I can't exactly figure out from the backtrace where the out of bounds write is happening in png2webp.c, but a rough guess would be somewhere around:

if(reverse)

memcpy(&ext, *argv + len - 4, 4);

memcpy(&extmatch, (char[4]){"webp"}, 4);

I've attached the valgrind and gdb output below with a copy of the file used to trigger the issue:

Screen Shot 2022-07-22 at 10 55 26 AM

Screen Shot 2022-07-22 at 11 36 28 AM

Crash file

This would possibly allow an attacker to overwrite heap memory with attacker provided data.
crash.zip

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions