Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack buffer-overflow in stbi__compute_huffman_codes #36

Closed
tianxiaogu opened this issue Sep 11, 2018 · 1 comment
Closed

stack buffer-overflow in stbi__compute_huffman_codes #36

tianxiaogu opened this issue Sep 11, 2018 · 1 comment
Labels
PR welcome

Comments

@tianxiaogu
Copy link
Contributor

A stack buffer-overflow is detected. Attached is the test case that can reproduce the issue. You need to compile the catimg with ASAN.
sbo-1.zip

=================================================================
==16406==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc9166dc0f at pc 0x0000005450e6 bp 0x7ffc9166d370 sp 0x7ffc9166d368
READ of size 1 at 0x7ffc9166dc0f thread T0
    #0 0x5450e5 in stbi__compute_huffman_codes /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3708:29
    #1 0x5450e5 in stbi__parse_zlib /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3803
    #2 0x5450e5 in stbi__do_zlib /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3818
    #3 0x5eb136 in stbi_zlib_decode_malloc_guesssize_headerflag /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3849:8
    #4 0x5eb136 in stbi__parse_png_file /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:4422
    #5 0x615cf6 in stbi__do_png /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:4472:8
    #6 0x615cf6 in stbi__png_load /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:4495
    #7 0x565630 in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h
    #8 0x556121 in stbi__xload_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:72:26
    #9 0x5bea05 in stbi_xload /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:92:18
    #10 0x5bea05 in img_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:188
    #11 0x52836c in main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/catimg.c:115:9
    #12 0x7fc5fe7ffb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41bbe9 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/catimg/bin/catimg+0x41bbe9)

Address 0x7ffc9166dc0f is located in stack of thread T0 at offset 2191 in frame
    #0 0x53d3ef in stbi__do_zlib /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3812

  This frame has 4 object(s):
    [32, 2052) 'z_codelength.i.i' (line 3684)
    [2192, 2647) 'lencodes.i.i' (line 3685) <== Memory access at offset 2191 underflows this variable
    [2720, 2739) 'codelength_sizes.i.i' (line 3686)
    [2784, 2788) 'header.i.i' (line 3729)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3708:29 in stbi__compute_huffman_codes
Shadow bytes around the buggy address:
  0x1000122c5b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b70: 04 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x1000122c5b80: f2[f2]00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5bb0: 00 00 00 00 00 00 00 00 00 00 07 f2 f2 f2 f2 f2
  0x1000122c5bc0: f2 f2 f2 f2 00 00 03 f2 f2 f2 f2 f2 f8 f3 f3 f3
  0x1000122c5bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==16406==ABORTING
@posva
Copy link
Owner

posva commented Sep 11, 2018

Thanks for posting this but these are all related to the external lib that load images. I accept prs for fixing these but I don't have time to fix it myself 🙂

@tianxiaogu tianxiaogu mentioned this issue Sep 12, 2018
Merged
@posva posva closed this as completed Sep 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
PR welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@posva @tianxiaogu