heap-buffer-overflow in stbi__out_gif_code

[tianxiaogu]

Using the following code we are able to trigger a heap-buffer-overflow on the attached file 760.zip.

#define STB_IMAGE_IMPLEMENTATION
#include "stb_image.h"
int main(int v, char** argv) {
  int x,y,n;
  unsigned char *data = stbi_load(argv[1], &x, &y, &n, 0);
  // ... process data if not NULL ...
  // ... x = width, y = height, n = # 8-bit components per pixel ...
  // ... replace '0' with '1'..'4' to force that many components per pixel
  // ... but 'n' will always be the number that it would have been if you said 0
  stbi_image_free(data);
  return 0;
}

Command line:

unzip 760.zip
clang -fsanitize=address -lm main.c -g
./a.out 760

Output:

=================================================================
==6976==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x000000568100 bp 0x7ffeedaf0760 sp 0x7ffeedaf0758
WRITE of size 1 at 0x619000000480 thread T0
    #0 0x5680ff in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6229:24
    #1 0x567ead in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6223:7
    #2 0x567ead in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6223:7
    #3 0x567d1c in stbi__process_gif_raster /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6322:13
    #4 0x566530 in stbi__gif_load_next /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6439:17
    #5 0x53188c in stbi__gif_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6569:8
    #6 0x52d10e in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:989:35
    #7 0x52663e in stbi__load_and_postprocess_8bit /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1088:19
    #8 0x5262fe in stbi_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1174:13
    #9 0x5260b0 in stbi_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1164:13
    #10 0x52cdc1 in main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/main.c:5:25
    #11 0x7f74b5913b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41a6d9 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/stbload/a.out+0x41a6d9)

0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here:
    #0 0x4e4a07 in malloc /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0x52aae4 in stbi__malloc /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:859:12
    #2 0x564bc3 in stbi__gif_load_next /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6352:32
    #3 0x53188c in stbi__gif_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6569:8
    #4 0x52d10e in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:989:35
    #5 0x52663e in stbi__load_and_postprocess_8bit /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1088:19
    #6 0x5262fe in stbi_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1174:13
    #7 0x5260b0 in stbi_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1164:13
    #8 0x52cdc1 in main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/main.c:5:25
    #9 0x7f74b5913b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6229:24 in stbi__out_gif_code
Shadow bytes around the buggy address:
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6976==ABORTING

[abergmann]

CVE-2018-16981 was assigned to this issue.