Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation Fault:out-of-bound write of heap data issue can occur in function png_load()(lib/png.c:755). #13

Closed
chunibalon opened this issue Apr 26, 2017 · 2 comments

Comments

@chunibalon
Copy link

chunibalon commented Apr 26, 2017

Recently, I found an out-of-bound issue in the newest branch of swftools which can cause the segmentation fault.
This issue can be caused by a malformed PNG file though png2swf.
Attackers could exploit this issue to result n DoS and might cause arbitrary code execution.
The crash infomation is as follows.
compiled normally
$ analysis ./png2swf-test crashes_use/000004.png
[1] 56063 segmentation fault ./png2swf-test crashes_use/000004.png

compiled with CFLAGS=’-fsanitize=address’
$ analysis ./png2swf-dbg crashes_use/000004.png

==7338==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001b500 at pc 0x00000045a3fa bp 0x7fffe1841530 sp 0x7fffe1841520
WRITE of size 4 at 0x62100001b500 thread T0
#0 0x45a3f9 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755
#1 0x40865e in MovieAddFrame /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:491
#2 0x40af7d in main /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:816
#3 0x7f943a8c282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402838 in _start (/home/kirito/Desktop/fuzz/swftools/swftools-2013-04-09-1007/fuzz_0/analysis/png2swf-dbg+0x402838)

0x62100001b500 is located 0 bytes to the right of 4096-byte region [0x62100001a500,0x62100001b500)
allocated by thread T0 here:
#0 0x7f943b176602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x455d92 in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:579

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:755 png_load
Shadow bytes around the buggy address:
0x0c427fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb6a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7338==ABORTING

The attachment is the zip package of PoC and a brief analysis.
000004.zip

@matthiaskramm
Copy link
Owner

Thanks for reporting this! It looks like the issue is caused by a multiplication overflow? I'll take a look.

@chunibalon
Copy link
Author

This issue has been assigned CVE-2017-8400.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants