Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in stbi__out_gif_code #656

Closed
tianxiaogu opened this issue Sep 12, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@tianxiaogu
Copy link

commented Sep 12, 2018

Using the following code we are able to trigger a heap-buffer-overflow on the attached file 760.zip.

#define STB_IMAGE_IMPLEMENTATION
#include "stb_image.h"
int main(int v, char** argv) {
  int x,y,n;
  unsigned char *data = stbi_load(argv[1], &x, &y, &n, 0);
  // ... process data if not NULL ...
  // ... x = width, y = height, n = # 8-bit components per pixel ...
  // ... replace '0' with '1'..'4' to force that many components per pixel
  // ... but 'n' will always be the number that it would have been if you said 0
  stbi_image_free(data);
  return 0;
}

Command line:

unzip 760.zip
clang -fsanitize=address -lm main.c -g
./a.out 760

Output:

=================================================================
==6976==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x000000568100 bp 0x7ffeedaf0760 sp 0x7ffeedaf0758
WRITE of size 1 at 0x619000000480 thread T0
    #0 0x5680ff in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6229:24
    #1 0x567ead in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6223:7
    #2 0x567ead in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6223:7
    #3 0x567d1c in stbi__process_gif_raster /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6322:13
    #4 0x566530 in stbi__gif_load_next /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6439:17
    #5 0x53188c in stbi__gif_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6569:8
    #6 0x52d10e in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:989:35
    #7 0x52663e in stbi__load_and_postprocess_8bit /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1088:19
    #8 0x5262fe in stbi_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1174:13
    #9 0x5260b0 in stbi_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1164:13
    #10 0x52cdc1 in main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/main.c:5:25
    #11 0x7f74b5913b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a6d9 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/stbload/a.out+0x41a6d9)

0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here:
    #0 0x4e4a07 in malloc /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0x52aae4 in stbi__malloc /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:859:12
    #2 0x564bc3 in stbi__gif_load_next /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6352:32
    #3 0x53188c in stbi__gif_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6569:8
    #4 0x52d10e in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:989:35
    #5 0x52663e in stbi__load_and_postprocess_8bit /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1088:19
    #6 0x5262fe in stbi_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1174:13
    #7 0x5260b0 in stbi_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1164:13
    #8 0x52cdc1 in main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/main.c:5:25
    #9 0x7f74b5913b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6229:24 in stbi__out_gif_code
Shadow bytes around the buggy address:
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6976==ABORTING

@abergmann

This comment has been minimized.

Copy link

commented Sep 13, 2018

CVE-2018-16981 was assigned to this issue.

rygorous added a commit to rygorous/stb that referenced this issue Mar 2, 2019

stb_image: Fix multiple bugs in GIF decoder.
1. Check not just g->out allocation for failure.
2. If an image descriptor specified a 0-width image, this could be
   used to produce an out-of-bounds write.
3. Fix memory leak in case an error occurs during decoding.

Fixes issue nothings#656.

@rygorous rygorous closed this Mar 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.