You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using the following code we are able to trigger a heap-buffer-overflow on the attached file 760.zip.
#define STB_IMAGE_IMPLEMENTATION
#include "stb_image.h"
int main(int v, char** argv) {
int x,y,n;
unsigned char *data = stbi_load(argv[1], &x, &y, &n, 0);
// ... process data if not NULL ...
// ... x = width, y = height, n = # 8-bit components per pixel ...
// ... replace '0' with '1'..'4' to force that many components per pixel
// ... but 'n' will always be the number that it would have been if you said 0
stbi_image_free(data);
return 0;
}
=================================================================
==6976==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x000000568100 bp 0x7ffeedaf0760 sp 0x7ffeedaf0758
WRITE of size 1 at 0x619000000480 thread T0
#0 0x5680ff in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6229:24
#1 0x567ead in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6223:7
#2 0x567ead in stbi__out_gif_code /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6223:7
#3 0x567d1c in stbi__process_gif_raster /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6322:13
#4 0x566530 in stbi__gif_load_next /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6439:17
#5 0x53188c in stbi__gif_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6569:8
#6 0x52d10e in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:989:35
#7 0x52663e in stbi__load_and_postprocess_8bit /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1088:19
#8 0x5262fe in stbi_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1174:13
#9 0x5260b0 in stbi_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1164:13
#10 0x52cdc1 in main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/main.c:5:25
#11 0x7f74b5913b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41a6d9 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/stbload/a.out+0x41a6d9)
0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here:
#0 0x4e4a07 in malloc /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
#1 0x52aae4 in stbi__malloc /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:859:12
#2 0x564bc3 in stbi__gif_load_next /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6352:32
#3 0x53188c in stbi__gif_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6569:8
#4 0x52d10e in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:989:35
#5 0x52663e in stbi__load_and_postprocess_8bit /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1088:19
#6 0x5262fe in stbi_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1174:13
#7 0x5260b0 in stbi_load /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:1164:13
#8 0x52cdc1 in main /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/main.c:5:25
#9 0x7f74b5913b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/t/Projects/afl/fuzzing-experiments/subjects/stbload/./stb_image.h:6229:24 in stbi__out_gif_code
Shadow bytes around the buggy address:
0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6976==ABORTING
The text was updated successfully, but these errors were encountered:
1. Check not just g->out allocation for failure.
2. If an image descriptor specified a 0-width image, this could be
used to produce an out-of-bounds write.
3. Fix memory leak in case an error occurs during decoding.
Fixes issue nothings#656.
Using the following code we are able to trigger a heap-buffer-overflow on the attached file 760.zip.
Command line:
Output:
The text was updated successfully, but these errors were encountered: