Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation Fault:An out-of-bound read of heap data issue can occur in function png_load()(lib/png.c:724). #14

Open
chunibalon opened this issue Apr 26, 2017 · 4 comments

Comments

@chunibalon
Copy link

chunibalon commented Apr 26, 2017

An out-of-bound read of heap data issue can occur in function png_load()(lib/png.c:724).
This issue can be caused by a malformed PNG file though png2swf. Attackers could exploit this issue to result in DoS.
#compiled normally
$ analysis ./png2swf-test crashes_use/000007.png
[1] 20251 segmentation fault ./png2swf-test crashes_use/000007.png

#compiled with CFLAGS=’-fsanitize=address’(AddressSanitizer)
$ analysis ./png2swf-dbg crashes_use/000007.png

==21316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006972 at pc 0x00000045976c bp 0x7ffdf08becc0 sp 0x7ffdf08becb0
READ of size 1 at 0x619000006972 thread T0
#0 0x45976b in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:736
#1 0x40865e in MovieAddFrame /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:491
#2 0x40af7d in main /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:816
#3 0x7f5fefa8e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402838 in _start (/home/kirito/Desktop/fuzz/swftools/swftools-2013-04-09-1007/fuzz_0/analysis/png2swf-dbg+0x402838)

0x619000006972 is located 14 bytes to the left of 1056-byte region [0x619000006980,0x619000006da0)
allocated by thread T0 here:
#0 0x7f5ff0342602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4556bd in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:506

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:736 png_load
Shadow bytes around the buggy address:
0x0c327fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c327fff8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21316==ABORTING
The attachment is the PoC and a brief report.
000007.zip

@carnil
Copy link

carnil commented May 7, 2017

HI

Is this issue really fixed? In a build with 392fb1f applied I still get an out of bound read in png_load (not that line numbers are not the same, since build is done on top of the source in Debian with the fixes for #13 and #14 applied on top):

~/swftools-0.9.2+git20130725# ./src/png2swf ~/000007.png 
=================================================================
==30045==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006972 at pc 0x00000042da36 bp 0x7ffd0e888730 sp 0x7ffd0e888728
READ of size 1 at 0x619000006972 thread T0
    #0 0x42da35 in png_load lib/png.c:740
    #1 0x406061 in MovieAddFrame src/png2swf.c:491
    #2 0x402be3 in main src/png2swf.c:816
    #3 0x7f73be63f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #4 0x4030e9 in _start (/root/swftools-0.9.2+git20130725/src/png2swf+0x4030e9)

0x619000006972 is located 14 bytes to the left of 1057-byte region [0x619000006980,0x619000006da1)
allocated by thread T0 here:
    #0 0x7f73bfb3fd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x42b1af in png_load lib/png.c:506
    #2 0x406061 in MovieAddFrame src/png2swf.c:491
    #3 0x402be3 in main src/png2swf.c:816
    #4 0x7f73be63f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow lib/png.c:740 in png_load
Shadow bytes around the buggy address:
  0x0c327fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
  0x0c327fff8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30045==ABORTING
~/swftools-0.9.2+git20130725#

@matthiaskramm matthiaskramm reopened this May 8, 2017
@matthiaskramm
Copy link
Owner

Reopening for investigation.

@chunibalon
Copy link
Author

This issue has been assigned CVE-2017-8401.

@carnil
Copy link

carnil commented May 25, 2017 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants