New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation Fault:An out-of-bound read of heap data issue can occur in function png_load()(lib/png.c:724). #14
Comments
|
HI Is this issue really fixed? In a build with 392fb1f applied I still get an out of bound read in png_load (not that line numbers are not the same, since build is done on top of the source in Debian with the fixes for #13 and #14 applied on top): |
|
Reopening for investigation. |
|
This issue has been assigned CVE-2017-8401. |
|
Hi
On Mon, May 08, 2017 at 06:40:57AM -0700, Matthias Kramm wrote:
Reopening for investigation.
Any news yet?
Thanks a lot for your work!
|
This was referenced Jun 12, 2017
Closed
This was referenced Jul 3, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An out-of-bound read of heap data issue can occur in function png_load()(lib/png.c:724).
This issue can be caused by a malformed PNG file though png2swf. Attackers could exploit this issue to result in DoS.
#compiled normally
$ analysis ./png2swf-test crashes_use/000007.png
[1] 20251 segmentation fault ./png2swf-test crashes_use/000007.png
#compiled with CFLAGS=’-fsanitize=address’(AddressSanitizer)
$ analysis ./png2swf-dbg crashes_use/000007.png
==21316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006972 at pc 0x00000045976c bp 0x7ffdf08becc0 sp 0x7ffdf08becb0
READ of size 1 at 0x619000006972 thread T0
#0 0x45976b in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:736
#1 0x40865e in MovieAddFrame /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:491
#2 0x40af7d in main /home/kirito/Desktop/fuzz/swftools/swftools/src/png2swf.c:816
#3 0x7f5fefa8e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x402838 in _start (/home/kirito/Desktop/fuzz/swftools/swftools-2013-04-09-1007/fuzz_0/analysis/png2swf-dbg+0x402838)
0x619000006972 is located 14 bytes to the left of 1056-byte region [0x619000006980,0x619000006da0)
allocated by thread T0 here:
#0 0x7f5ff0342602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4556bd in png_load /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:506
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/swftools/swftools/lib/png.c:736 png_load
Shadow bytes around the buggy address:
0x0c327fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c327fff8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21316==ABORTING
The attachment is the PoC and a brief report.
000007.zip
The text was updated successfully, but these errors were encountered: