New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Out of Bounds Write in v1.0.4 #3
Comments
|
What OS, architecture, and compiler were you testing on? |
|
I tested that file on a version I just compiled on Termux on my Pixel 6: The problem seems to be that, against the C standard, certain platforms use diff --git a/png2webp.c b/png2webp.c
index 42443f5..30bd4fd 100644
--- a/png2webp.c
+++ b/png2webp.c
@@ -319,6 +319,14 @@ static bool w2p(char *ip, char *op) {
}
size_t l = ((uint32_t)(i[4] | (i[5] << 8) | (i[6] << 16) | (i[7] << 24))) + 8;
// ^ RIFF header size
+ if(l < 12
+#ifdef SSIZE_MAX
+ || l - 12 > SSIZE_MAX
+#endif
+ ) {
+ PF("ERROR reading %s: %s", IP, k[2]);
+ goto w2p_close;
+ }
x = malloc(l);
if(!x) {
PF("ERROR reading %s: %s", IP, *k); |
|
I need to check this doesn't happen on platforms that don't define |
|
Also what fuzzer are you using? I might use it myself. I hope it's AFL |
|
Fixed in v1.0.5 (I think). |
|
@Halcy0nic feel free to add this to your trophy list lol |
|
Sweet! Just tested it out and it seems fixed. Thanks again! |
|
Also you are correct, the fuzzer I was using is AFL++ lol |
|
I tested on a few Linux distros (Debian, ubuntu, etc), all 64 bit |
|
Ok good thank you :) I'll close this now |
Hi!
While I was using the tool I had some fuzz tests running in the background and I think there might be an out of bounds write bug in the webp to png converter. I compiled the tool from source using the default instructions/Makefile. I can't exactly figure out from the backtrace where the out of bounds write is happening in png2webp.c, but a rough guess would be somewhere around:
png2webp/png2webp.c
Line 499 in 0c71191
png2webp/png2webp.c
Line 504 in 0c71191
png2webp/png2webp.c
Line 505 in 0c71191
I've attached the valgrind and gdb output below with a copy of the file used to trigger the issue:
Crash file
This would possibly allow an attacker to overwrite heap memory with attacker provided data.
crash.zip
The text was updated successfully, but these errors were encountered: