./debug/bin/dbl2png --verbose in2.dbl out.png
image data RGB
outsize=1605
size 65535 x 33023
unpacked data size t=1600 byte
channel count=3
Segmentation fault (core dumped)
==48243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdd403ff404 at pc 0x7fdd44327733 bp 0x7ffd2f1f8fa0 sp 0x7ffd2f1f8748
READ of size 262140 at 0x7fdd403ff404 thread T0
#0 0x7fdd44327732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x7fdd43e7fa17 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x7fdd43e7fa17 in png_write_row /home/fish/misc/libming/libpng-1.6.36/pngwrite.c:842
#3 0x557528274da6 in writePNG /home/fish/misc/libming/util/dbl2png.c:234
#4 0x5575282712d6 in main /home/fish/misc/libming/util/dbl2png.c:286
#5 0x7fdd43a8eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#6 0x557528271859 in _start (/home/fish/misc/libming/afl/bin/dbl2png+0x2859)
0x7fdd403ff404 is located 0 bytes to the right of 66714628-byte region [0x7fdd3c45f800,0x7fdd403ff404)
allocated by thread T0 here:
#0 0x7fdd4438cb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x55752827295b in readDBL /home/fish/misc/libming/util/dbl2png.c:133
#2 0x200000007 (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0ffc28077e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc28077e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc28077e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc28077e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc28077e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffc28077e80:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc28077e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc28077ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc28077eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc28077ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc28077ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==48243==ABORTING
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:427
#1 0x00007ffff79a6a18 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 png_write_row (png_ptr=0x555555758490, row=<optimized out>) at pngwrite.c:842
#3 0x00005555555557e3 in writePNG (fp=0x555555758260, png=...) at dbl2png.c:234
#4 0x0000555555555a1a in main (argc=0x3, argv=0x7fffffffde68) at dbl2png.c:286
#5 0x00007ffff75b5b97 in __libc_start_main (main=0x5555555558a9 <main>, argc=0x3, argv=0x7fffffffde68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde58) at ../csu/libc-start.c:310
#6 0x0000555555554eca in _start ()
229 if(png.color_type == PNG_COLOR_TYPE_RGB)
230 {
231 png_set_filler(png_ptr, 0, PNG_FILLER_BEFORE);
232 for (i=0;i<png.height-1;i++)
233 {
// ptr=0x00007fffffffdce0 → [...] → 0x357a4fff2b6a42ff
→ 234 png_write_row(png_ptr,ptr);
235 ptr+=png.width * 4;
236 }
237 }
238 if(png.color_type == PNG_COLOR_TYPE_PALETTE)
239 {
gef➤ p ptr + png.width * 4 * 261
$3 = (byte *) 0x7ffff7395bfc ""
gef➤ p ptr + png.width * 4 * 262
$4 = (byte *) 0x7ffff73d5bf8 <error: Cannot access memory at address 0x7ffff73d5bf8>
The text was updated successfully, but these errors were encountered:
I found a a heap-buffer-overflow problem in function writePNG in file ./util/dbl2png.c:234.
poc.zip
./debug/bin/dbl2png --verbose in2.dbl out.png
image data RGB
outsize=1605
size 65535 x 33023
unpacked data size t=1600 byte
channel count=3
Segmentation fault (core dumped)
The text was updated successfully, but these errors were encountered: