Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-use-after-free at heif_context.h:117 #123

Closed
hongxuchen opened this issue Apr 14, 2019 · 2 comments
Closed

AddressSanitizer: heap-use-after-free at heif_context.h:117 #123

hongxuchen opened this issue Apr 14, 2019 · 2 comments

Comments

@hongxuchen
Copy link

As of dcbfa77, ./heif-convert $FILE /tmp/test.png may report a heap-use-after-free error when libheif is compiled with AddressSanitizer.

==16294==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000004a0 at pc 0x7ffff78fe3f6 bp 0x7fffffff89a0 sp 0x7fffffff8998
WRITE of size 8 at 0x6030000004a0 thread T0
    #0 0x7ffff78fe3f5 in std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr_base.h:1122:69
    #1 0x7ffff78fb156 in std::shared_ptr<heif::HeifContext::Image>::operator=(std::shared_ptr<heif::HeifContext::Image> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr.h:296:65
    #2 0x7ffff792a808 in heif::HeifContext::Image::set_alpha_channel(std::shared_ptr<heif::HeifContext::Image>) /home/hongxu/FOT/libheif/libheif-asan/libheif/./heif_context.h:117:75
    #3 0x7ffff790cba1 in heif::HeifContext::interpret_heif_file() /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:584:34
    #4 0x7ffff7910164 in heif::HeifContext::read_from_file(char const*) /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:351:10
    #5 0x7ffff78e3e46 in heif_context_read_from_file /home/hongxu/FOT/libheif/libheif-asan/libheif/heif.cc:184:29
    #6 0x4f84bd in main /home/hongxu/FOT/libheif/libheif-asan/examples/heif_convert.cc:164:9
    #7 0x7ffff5dd5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x41cf49 in _start (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x41cf49)

0x6030000004a0 is located 16 bytes inside of 27-byte region [0x603000000490,0x6030000004ab)
freed by thread T0 here:
    #0 0x4f4c12 in operator delete(void*) (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x4f4c12)
    #1 0x7ffff790c82e in heif::HeifContext::interpret_heif_file() /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:574:15
    #2 0x7ffff7910164 in heif::HeifContext::read_from_file(char const*) /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:351:10
    #3 0x7ffff78e3e46 in heif_context_read_from_file /home/hongxu/FOT/libheif/libheif-asan/libheif/heif.cc:184:29
    #4 0x4f84bd in main /home/hongxu/FOT/libheif/libheif-asan/examples/heif_convert.cc:164:9
    #5 0x7ffff5dd5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 here:
    #0 0x4f3fd2 in operator new(unsigned long) (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x4f3fd2)
    #1 0x7ffff6c8e26c in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x12726c)
    #2 0x60600000031f  (<unknown module>)
LLVMSymbolizer: error reading file: No such file or directory
    #3 0x7fffffff929f  ([stack]+0x1d29f)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr_base.h:1122:69 in std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2> const&)
Shadow bytes around the buggy address:
  0x0c067fff8040: 00 fa fa fa fd fd fd fd fa fa 00 00 00 01 fa fa
  0x0c067fff8050: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa
  0x0c067fff8060: fa fa 00 00 00 fa fa fa 00 00 00 07 fa fa fd fd
  0x0c067fff8070: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8080: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fa
=>0x0c067fff8090: fa fa fd fd[fd]fd fa fa fd fd fd fd fa fa fa fa
  0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==16294==ABORTING

zipped POCs:
libheif.zip
@fancycode
Copy link
Member

Thanks for spotting this!

@fgeek
Copy link

fgeek commented Apr 28, 2019

CVE-2019-11471 was assigned for this issue.

farindk pushed a commit that referenced this issue Aug 30, 2019
@fancycode @farindk
Detect non-existing referenced alpha images (fixes #123) / CVE-2019-1…
8dc35cd 
…1471
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fancycode @fgeek @hongxuchen