Comments (3)
attritionorg
commented on June 3, 2024
@pprivulet can you include the full ASAN output please?
from ok-file-formats.
brackeen
commented on June 3, 2024
Thank you @pprivulet. These were all caused by EXIF orientation info appearing after the SOF marker. The EXIF orientation info is now ignored if it appears after SOF.
from ok-file-formats.
pprivulet
commented on June 3, 2024
Here are the asan outputs:
- ok_jpg_convert_data_unit_grayscale
$ ./Testjpg bugs/0.fuzz
=================================================================
==26787==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6fdfefb7fc at pc 0x562455ef5043 bp 0x7ffefb83c380 sp 0x7ffefb83c370
WRITE of size 1 at 0x7f6fdfefb7fc thread T0
#0 0x562455ef5042 in ok_jpg_convert_data_unit_grayscale /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:532
#1 0x562455ef5042 in ok_jpg_convert_data_unit /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:612
#2 0x562455eff1e2 in ok_jpg_progressive_finish /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1336
#3 0x562455eff1e2 in ok_jpg_decode2 /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1942
#4 0x562455eff1e2 in ok_jpg_decode /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:2021
#5 0x562455f03591 in ok_jpg_read_with_allocator /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:268
#6 0x562455f036c7 in ok_jpg_read /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:257
#7 0x562455ef266c in main /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/main.c:11
#8 0x7f6fdea52bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#9 0x562455ef24c9 in _start (/home/pan/security_lab/workspace/fuzz/target/ok-file-formats/Testjpg+0x14c9)
0x7f6fdfefb7fc is located 4 bytes to the left of 140800-byte region [0x7f6fdfefb800,0x7f6fdff1de00)
allocated by thread T0 here:
#0 0x7f6fdef00b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x562455ef29b6 in ok_stdlib_alloc /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:55
#2 0x562455efe05f in ok_jpg_read_sof /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1626
#3 0x562455efe05f in ok_jpg_decode2 /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1925
#4 0x562455efe05f in ok_jpg_decode /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:2021
#5 0x562455f03591 in ok_jpg_read_with_allocator /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:268
#6 0x562455f036c7 in ok_jpg_read /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:257
#7 0x562455ef266c in main /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/main.c:11
#8 0x7f6fdea52bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:532 in ok_jpg_convert_data_unit_grayscale
Shadow bytes around the buggy address:
0x0fee7bfd76a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee7bfd76b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee7bfd76c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee7bfd76d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee7bfd76e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fee7bfd76f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0fee7bfd7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee7bfd7710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee7bfd7720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee7bfd7730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee7bfd7740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26787==ABORTING
- ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/6.fuzz
=================================================================
==30742==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4d4c1d37fc at pc 0x55c4c7b171d0 bp 0x7ffc3fb4b620 sp 0x7ffc3fb4b610
WRITE of size 1 at 0x7f4d4c1d37fc thread T0
#0 0x55c4c7b171cf in ok_jpg_convert_YCbCr_to_RGB /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520
#1 0x55c4c7b171cf in ok_jpg_convert_data_unit_color /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:552
#2 0x55c4c7b171cf in ok_jpg_convert_data_unit /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:614
#3 0x55c4c7b23da0 in ok_jpg_decode_scan /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1289
#4 0x55c4c7b23da0 in ok_jpg_read_sos /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1755
#5 0x55c4c7b23da0 in ok_jpg_decode2 /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1947
#6 0x55c4c7b23da0 in ok_jpg_decode /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:2021
#7 0x55c4c7b25591 in ok_jpg_read_with_allocator /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:268
#8 0x55c4c7b256c7 in ok_jpg_read /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:257
#9 0x55c4c7b1466c in main /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/main.c:11
#10 0x7f4d4f9bfbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#11 0x55c4c7b144c9 in _start (/home/pan/security_lab/workspace/fuzz/target/ok-file-formats/Testjpg+0x14c9)
0x7f4d4c1d37fc is located 4 bytes to the left of 1228800-byte region [0x7f4d4c1d3800,0x7f4d4c2ff800)
allocated by thread T0 here:
#0 0x7f4d4fe6db40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x55c4c7b149b6 in ok_stdlib_alloc /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:55
#2 0x55c4c7b2005f in ok_jpg_read_sof /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1626
#3 0x55c4c7b2005f in ok_jpg_decode2 /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:1925
#4 0x55c4c7b2005f in ok_jpg_decode /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:2021
#5 0x55c4c7b25591 in ok_jpg_read_with_allocator /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:268
#6 0x55c4c7b256c7 in ok_jpg_read /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:257
#7 0x55c4c7b1466c in main /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/main.c:11
#8 0x7f4d4f9bfbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
Shadow bytes around the buggy address:
0x0fea298326a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea298326b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea298326c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea298326d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea298326e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fea298326f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0fea29832700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea29832710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea29832720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea29832730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea29832740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30742==ABORTING
from ok-file-formats.
Related Issues (20)
- Submit wrong.
- heap-buffer-overflow in function ok_jpg_generate_huffman_table() at ok_jpg.c:403 HOT 1
- heap-buffer-overflow in functionok_jpg_convert_YCbCr_to_RGB() at ok_jpg.c:513 HOT 1
- heap-buffer-overflow in ok_csv_circular_buffer_read() at ok_csv.c:95 HOT 3
- heap-buffer-overflow in function ok_wav_decode_ms_adpcm_data() at ok_wav.c:793 HOT 1
- heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:712:13 HOT 1
- heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:641 HOT 1
- heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:533:20 HOT 1
- heap-buffer-overflow in ‘/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3’ HOT 1
- heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:494:20 HOT 1
- A heap-buffer-overflow detected in ok_wav.c:613 HOT 1
- A heap-buffer-overflow detected in ok_wav.c:627 HOT 1
- A Endless-Loop detected in ok_wav.c:ok_wav_decode_caf_file HOT 1
- heap-buffer-overflow in ok-file-formats/ok_wav.c:742 ok_wav_decode_ms_adpcm_data() HOT 7
- heap-buffer-overflow in /ok-file-formats/ok_csv.c:448 ok_csv_decode2()
- heap-buffer-overflow in /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:301 ok_mo_decode2()
- heap-buffer-overflow in function ok_jpg_decode_block_subsequent_scan() at ok_jpg.c:1102 HOT 2
- heap-buffer-overflow in function ok_jpg_decode_block_progressive() at ok_jpg.c:1054 HOT 1
- Byte array instead of file as input HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ok-file-formats.