Skip to content

heap overflow in stb_image.h:2099 #1108

Closed
@Kaka201

Description

@Kaka201

heap overflow by a craft jpeg file in stb_image.h:2099
poc poc_hoob.zip

asan report:

==42271==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000559f20 at pc 0x00000051a2dd bp 0x7ffd06a9e900 sp 0x7ffd06a9e8f8
READ of size 4 at 0x000000559f20 thread T0
    #0 0x51a2dc in stbi__extend_receive /home/kaka/fuzz/stb/tests/./../stb_image.h:2099:16
    #1 0x518400 in stbi__jpeg_decode_block /home/kaka/fuzz/stb/tests/./../stb_image.h:2154:15
    #2 0x517173 in stbi__parse_entropy_coded_data /home/kaka/fuzz/stb/tests/./../stb_image.h:2920:30
    #3 0x5138d0 in stbi__decode_jpeg_image /home/kaka/fuzz/stb/tests/./../stb_image.h:3321:15
    #4 0x510a21 in load_jpeg_image /home/kaka/fuzz/stb/tests/./../stb_image.h:3773:9
    #5 0x4fe7b1 in stbi__jpeg_load /home/kaka/fuzz/stb/tests/./../stb_image.h:3930:13
    #6 0x4f8b3f in stbi__load_and_postprocess_8bit /home/kaka/fuzz/stb/tests/./../stb_image.h:1203:19
    #7 0x4f9d12 in stbi_load_from_memory /home/kaka/fuzz/stb/tests/./../stb_image.h:1373:11
    #8 0x4fd734 in LLVMFuzzerTestOneInput /home/kaka/fuzz/stb/tests/stbi_read_fuzzer.c:19:26
    #9 0x4f84fd in main /home/kaka/fuzz/stb/tests/fuzz_main.c:48:11
    #10 0x7fd09b4ea83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x41b038 in _start (/home/kaka/fuzz/stb/tests/image_fuzzer+0x41b038)

0x000000559f20 is located 32 bytes to the left of global variable '<string literal>' defined in './../stb_image.h:2198:33' (0x559f40) of size 22
  '<string literal>' is ascii string 'can't merge dc and ac'
0x000000559f20 is located 0 bytes to the right of global variable 'stbi__jbias' defined in './../stb_image.h:2083:18' (0x559ee0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow /home/kaka/fuzz/stb/tests/./../stb_image.h:2099:16 in stbi__extend_receive
Shadow bytes around the buggy address:
  0x0000800a3390: 00 04 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x0000800a33a0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
  0x0000800a33b0: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800a33c0: 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
  0x0000800a33d0: 00 00 00 00 00 00 00 02 f9 f9 f9 f9 00 00 00 00
=>0x0000800a33e0: 00 00 00 00[f9]f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
  0x0000800a33f0: 00 04 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
  0x0000800a3400: 00 06 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
  0x0000800a3410: 00 00 04 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
  0x0000800a3420: 00 00 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
  0x0000800a3430: 00 00 05 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==42271==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions