Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow on write_png_to_file function #90

Closed
wcventure opened this issue Jun 28, 2019 · 1 comment
Closed

AddressSanitizer: heap-buffer-overflow on write_png_to_file function #90

wcventure opened this issue Jun 28, 2019 · 1 comment

Comments

@wcventure
Copy link

POC:
POC.zip

Reproduce:
sixel2png $POC

=================================================================
==25754==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000054d at pc 0x000000510311 bp 0x7fff615f9850 sp 0x7fff615f9848
READ of size 1 at 0x60400000054d thread T0
    #0 0x510310 in write_png_to_file /home/wencheng/Documents/FuzzingObject/libsixel/src/writer.c:140:22
    #1 0x510310 in sixel_helper_write_image_file /home/wencheng/Documents/FuzzingObject/libsixel/src/writer.c:322
    #2 0x50e373 in sixel_decoder_decode /home/wencheng/Documents/FuzzingObject/libsixel/src/decoder.c:318:14
    #3 0x50c8fc in main /home/wencheng/Documents/FuzzingObject/libsixel/converters/sixel2png.c:226:14
    #4 0x7fb00c79482f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x419fa8 in _start (/home/wencheng/Documents/FuzzingObject/libsixel/build/bin/sixel2png+0x419fa8)

Address 0x60400000054d is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wencheng/Documents/FuzzingObject/libsixel/src/writer.c:140:22 in write_png_to_file
Shadow bytes around the buggy address:
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff80a0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25754==ABORTING
@saitoha
Copy link
Owner

saitoha commented Dec 17, 2019

Fixed on v1.8.3 with 1377517, Thanks!

@saitoha saitoha closed this as completed Dec 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@saitoha @wcventure