Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FPE in box.cc - heif::Fraction::round() #794

Closed
skensita opened this issue Mar 6, 2023 · 5 comments
Closed

FPE in box.cc - heif::Fraction::round() #794

skensita opened this issue Mar 6, 2023 · 5 comments

Comments

@skensita
Copy link

skensita commented Mar 6, 2023

Tested version:
libheif-1.15.1

Description of the bug:
Floating point exception is triggered when processing a crafted heif image, caused by divide by zero error, which leads to a crash.
This can be used for denial of service attacks.

Steps to reproduce the bug:
Compile with Address Sanitizer (ASan) :
./fuzzer ./poc.heif

Address Sanitizer log:

min@skensita:~/heif/fuzzer$ ./fuzzer dbg/classifiedCrashes/7e74fe547c83f1da6453572ddfe6832d1da6109c
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8030==ERROR: AddressSanitizer: FPE on unknown address 0x55722e2d29ed (pc 0x55722e2d29ed bp 0x7ffebc2cd170 sp 0x7ffebc2cd160 T0)
    #0 0x55722e2d29ec in heif::Fraction::round() const (/home/min/heif/fuzzer/fuzzer+0x1189ec)
    #1 0x55722e2f32da in heif::Box_clap::bottom_rounded(int) const (/home/min/heif/fuzzer/fuzzer+0x1392da)
    #2 0x55722e22568c in heif::HeifContext::decode_image_planar(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_decoding_options const*, bool) const (/home/min/heif/fuzzer/fuzzer+0x6b68c)
    #3 0x55722e222609 in heif::HeifContext::decode_image_user(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const*) const (/home/min/heif/fuzzer/fuzzer+0x68609)
    #4 0x55722e1dd8dc in heif_decode_image (/home/min/heif/fuzzer/fuzzer+0x238dc)
    #5 0x55722e1d46fa in TestDecodeImage(heif_context*, heif_image_handle const*) (/home/min/heif/fuzzer/fuzzer+0x1a6fa)
    #6 0x55722e1d4c4c in main (/home/min/heif/fuzzer/fuzzer+0x1ac4c)
    #7 0x7fed2bb83082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55722e1d42bd in _start (/home/min/heif/fuzzer/fuzzer+0x1a2bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/home/min/heif/fuzzer/fuzzer+0x1189ec) in heif::Fraction::round() const
==8030==ABORTING

Please check the attached POC.

POC.zip

@farindk farindk closed this as completed in e05e15b Mar 6, 2023
@farindk
Copy link
Contributor

farindk commented Mar 6, 2023

Thank you

@skensita
Copy link
Author

skensita commented Mar 6, 2023

Can I get a CVE for this patch?

@farindk
Copy link
Contributor

farindk commented Mar 6, 2023

I am not familiar with the CVE process. If you want, you can register it yourself.

@skensita
Copy link
Author

skensita commented Mar 6, 2023

Thank you for quick response.

@rathann
Copy link

rathann commented May 5, 2023

FYI, this is CVE-2023-29659 (assigned by Red Hat).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants