buffer overflow with corrupted ico

[frokaikan]

I found a heap-buffer-overflow when cat an image:
img.zip

=================================================================
==30486==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e82 at pc 0x0000005349b5 bp 0x7ffe3a703e70 sp 0x7ffe3a703e68
WRITE of size 1 at 0x619000000e82 thread T0
#0 0x5349b4 in stbi__bmp_load_cont /opt/catimg/src/stb_image.h:4748:25
#1 0x52a06f in stbi__ico_load /opt/catimg/src/stb_image.h:4867:15
#2 0x518fcf in stbi__xload_main /opt/catimg/src/sh_image.c:72:26
#3 0x51a553 in stbi_xload /opt/catimg/src/sh_image.c:92:18
#4 0x51b0c7 in img_load_from_file /opt/catimg/src/sh_image.c:188:30
#5 0x513847 in main /opt/catimg/src/catimg.c:115:9
#6 0x7fd91b062b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41b029 in _start (/opt/catimg/asan/bin/catimg+0x41b029)

0x619000000e82 is located 2 bytes to the right of 1024-byte region [0x619000000a80,0x619000000e80)
allocated by thread T0 here:
#0 0x4daee0 in malloc (/opt/catimg/asan/bin/catimg+0x4daee0)
#1 0x533785 in stbi__bmp_load_cont /opt/catimg/src/stb_image.h:4684:22
#2 0x52a06f in stbi__ico_load /opt/catimg/src/stb_image.h:4867:15
#3 0xff00000000000003 ()

SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/catimg/src/stb_image.h:4748:25 in stbi__bmp_load_cont
Shadow bytes around the buggy address:
0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff81d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30486==ABORTING

[carnil]

This issue was assigned CVE-2018-13794

[posva]

@carnil What does that even mean?

[carnil]

On Fri, Jul 13, 2018 at 12:41:48PM -0700, Eduardo San Martin Morote wrote: @carnil What does that even mean?

@posva: I'm only a messenger here. When the issue was reported someone requested a CVE identifier for it to identify the vulnerability. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures#CVE_identifiers

[ignatenkobrain]

ping @posva, this is vulnerability which should be fixed asap (i.e. it is not enhancement but rather security bug).

[posva]

Feel free to submit a pr as the label shows :)