brackeen / ok-file-formats Goto Github PK
View Code? Open in Web Editor NEWDecoders for PNG, JPEG, WAV, and a few other file formats
License: MIT License
ok-file-formats's Issues
heap-buffer-overflow in ok-file-formats/ok_wav.c:742 ok_wav_decode_ms_adpcm_data()
Test Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Test Program
#include <stdio.h>
#include "ok_wav.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_wav *image = ok_wav_read(file,0);
fclose(file);
ok_wav_free(image);
return 0;
}
$ gcc -o wav_decode wav_decode.c ok_wav.h ok_wav.cAsan Debug Information
➜ ok-file-formats git:(master) ✗ ./wav_decode-asan ./wav_out/crashes/id:000000,sig:06,src:000016,op:arith8,pos:38,val:-1
=================================================================
==50264==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005824 at pc 0x00000040b2e0 bp 0x7ffc94e053b0 sp 0x7ffc94e053a0
WRITE of size 2 at 0x62a000005824 thread T0
#0 0x40b2df in ok_wav_decode_ms_adpcm_data /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:742
#1 0x40b2df in ok_wav_decode_data /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:861
#2 0x40e6ba in ok_wav_decode_wav_file /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:981
#3 0x40f8b4 in ok_wav_decode /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:1138
#4 0x40f8b4 in ok_wav_read /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:114
#5 0x400ffc in main /home/moonagirl/megic_afl/ok-file-formats/wav_decode.c:6
#6 0x7f0f2cee882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x401108 in _start (/home/moonagirl/megic_afl/ok-file-formats/wav_decode-asan+0x401108)
0x62a000005824 is located 0 bytes to the right of 22052-byte region [0x62a000000200,0x62a000005824)
allocated by thread T0 here:
#0 0x7f0f2d32a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4099b0 in ok_wav_decode_ms_adpcm_data /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:689
#2 0x4099b0 in ok_wav_decode_data /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:861
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moonagirl/megic_afl/ok-file-formats/ok_wav.c:742 ok_wav_decode_ms_adpcm_data
Shadow bytes around the buggy address:
0x0c547fff8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff8af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff8b00: 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff8b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==50264==ABORTINGPOC file
https://github.com/moonAgirl/Bugs/blob/master/ok-file-formats/2018-12-31-01-heap-buffer-overflow.wav
bugs found in ok_jpg_convert_data_unit_grayscale and ok_jpg_convert_YCbCr_to_RGB via honggfuzz
Test code :
#include <stdio.h>
#include <stdlib.h>
#include "ok_jpg.h"
int main(int argc, char **argv) {
if(argc<2) return 0;
FILE *file = fopen(argv[1], "rb");
ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA | OK_JPG_FLIP_Y);
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}
Tools: honggfuzz 2.4
Target version: master-20210910
Result:
$ ./Testjpg bugs/0.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:532 in ok_jpg_convert_data_unit_grayscale
$ ./Testjpg bugs/1.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:532 in ok_jpg_convert_data_unit_grayscale
$ ./Testjpg bugs/2.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/3.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/4.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/5.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
$ ./Testjpg bugs/6.fuzz 2>&1 | grep SUMMARY
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pan/security_lab/workspace/fuzz/target/ok-file-formats/ok_jpg.c:520 in ok_jpg_convert_YCbCr_to_RGB
Here are the poc
heap-buffer-overflow in functionok_jpg_convert_YCbCr_to_RGB() at ok_jpg.c:513
Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Environment
Ubuntu 18.04, 64bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_jpg.h"
#include "ok_jpg.c"
int main(int _argc, char **_argv) {
FILE *file = fopen("_argv[1]", "rb");
ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA);
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
Compile test program:
$ gcc -g -o main main.c ok_jpg.hCompile test program with address sanitizer with this command:
$ gcc -g -fsanitize=address -fno-omit-frame-pointer -O1 -o Asanjpg main.c ok_jpg.hResult
The result of running without ASAN:
$ ./main heap-buffer-overflow-2.jpg
double free or corruption (!prev)
AbortedInformation obtained by using ASAN:
$ ./Asanjpg heap-buffer-overflow-2.jpg
=================================================================
==3402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000024c at pc 0x5632c5205ffb bp 0x7ffc939581c0 sp 0x7ffc939581b0
WRITE of size 1 at 0x63000000024c thread T0
#0 0x5632c5205ffa in ok_jpg_convert_YCbCr_to_RGB /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:513
#1 0x5632c5205ffa in ok_jpg_convert_data_unit_color /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:545
#2 0x5632c5205ffa in ok_jpg_convert_data_unit /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:607
#3 0x5632c5212c3d in ok_jpg_decode_scan /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1276
#4 0x5632c5212c3d in ok_jpg_read_sos /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1742
#5 0x5632c5212c3d in ok_jpg_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1930
#6 0x5632c5212c3d in ok_jpg_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:2004
#7 0x5632c52142dc in ok_jpg_read_with_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:268
#8 0x5632c5214412 in ok_jpg_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:257
#9 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
#10 0x7f0ab88adbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#11 0x5632c5203499 in _start (/home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/Asanjpg+0x1499)
0x63000000024c is located 436 bytes to the left of 60000-byte region [0x630000000400,0x63000000ee60)
allocated by thread T0 here:
#0 0x7f0ab8d5bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x5632c52037e1 in ok_stdlib_alloc /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:55
#2 0x5632c520ed69 in ok_jpg_read_sof /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1613
#3 0x5632c520ed69 in ok_jpg_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:1910
#4 0x5632c520ed69 in ok_jpg_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:2004
#5 0x5632c52142dc in ok_jpg_read_with_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:268
#6 0x5632c5214412 in ok_jpg_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:257
#7 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
#8 0x7f0ab88adbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok_jpg.c:513 in ok_jpg_convert_YCbCr_to_RGB
Shadow bytes around the buggy address:
0x0c607fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c607fff8040: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
0x0c607fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3402==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_jpg_convert_YCbCr_to_RGB() at ok_jpg.c:513
Poc
Poc file is this.
heap-buffer-overflow in function ok_jpg_generate_huffman_table() at ok_jpg.c:403
Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Environment
Ubuntu 18.04, 64bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_jpg.h"
#include "ok_jpg.c"
int main(int _argc, char **_argv) {
FILE *file = fopen("_argv[1]", "rb");
ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA);
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
$ gcc -g -o main main.c ok_jpg.h
$ ./main heap-buffer-overflow-1.jpgResult
Got image! Size: 0 x 0
Although the results of the running are correct, when I used our vulnerability detection tool to detect, I found that a heap buffer overflow occurred in line 403. Looking Description for a detailed description.
Description
When I used gdb for debugging with the following command:
(gdb) b 1989
(gdb) p decoder
$1 = (ok_jpg_decoder *) 0x55555575e490
(gdb) p sizeof(ok_jpg_decoder)
$2 = 52376Obtaining the start address and size of the decoder with the help of the above command,which explaining that the valid address range of the decoder is in [0x55555575e490,0x55555576b128].
(gdb) b 403
(gdb) p &huff->code[j - 1]
$2 = (uint16_t *) 0x55555576b2d2It can be analyzed from the code context that huff points to decoder,and the address 0x55555576b2d2 which is accessed by huff is not in the valid range of [0x55555575e490,0x55555576b128]. So heap buffer overflow occurs in function ok_jpg_generate_huffman_table() at ok_jpg.c:403.
Note: You can use ASAN for more direct verification.
Poc
Poc file is this.
heap-buffer-overflow in ‘/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3’
Version
Environment
Ubuntu 18.04,64 bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_png.c"
#include "ok_png.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA );
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
Compile test program:
$ gcc -g -o main main.c ok_png.h
Compile test program with address sanitizer with this command:
$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
Result
The result of running without ASAN:
$ ./main heap-buffer-overflow-6.png
free(): invalid pointer
Aborted (core dumped)
Information obtained by using ASAN:
$ ./asanpng heap-buffer-overflow-6.png
=================================================================
==80024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000cff1 at pc 0x7fa588189dc4 bp 0x7ffcdbf9eeb0 sp 0x7ffcdbf9e658
WRITE of size 769 at 0x60d00000cff1 thread T0
#0 0x7fa588189dc3 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3)
#1 0x562d30f5a72f in ok_png_read_data /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:853
#2 0x562d30f5b15d in ok_png_decode2 /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:971
#3 0x562d30f5b608 in ok_png_decode /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:1025
#4 0x562d30f542f3 in ok_png_read_with_allocator /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:188
#5 0x562d30f541cf in ok_png_read /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:177
#6 0x562d30f607d7 in main /home/xrz/afl++/ok-file-formats-png/issues/main.c:8
#7 0x7fa587d72b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x562d30f53d79 in _start (/home/xrz/afl++/ok-file-formats-png/issues/heap-buffer-overflow-6/asanpng+0x1d79)
0x60d00000cff1 is located 0 bytes to the right of 129-byte region [0x60d00000cf70,0x60d00000cff1)
allocated by thread T0 here:
#0 0x7fa588208e80 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6e80)
#1 0x562d30f53e9b in ok_stdlib_alloc /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:58
#2 0x562d30f59e7c in ok_png_read_data /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:788
#3 0x562d30f5b15d in ok_png_decode2 /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:971
#4 0x562d30f5b608 in ok_png_decode /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:1025
#5 0x562d30f542f3 in ok_png_read_with_allocator /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:188
#6 0x562d30f541cf in ok_png_read /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:177
#7 0x562d30f607d7 in main /home/xrz/afl++/ok-file-formats-png/issues/main.c:8
#8 0x7fa587d72b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3)
Shadow bytes around the buggy address:
0x0c1a7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff99d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff99e0: 00 00 00 00 01 fa fa fa fa fa fa fa fa fa 00 00
=>0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
0x0c1a7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==80024==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in ‘/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3’.
Poc
Poc file is this.
heap-buffer-overflow in ok_png_read_data
Using the Decode PNG with the attached file we can easily find a heap-buffer-overflow.
=================================================================
==9877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000000f1 at pc 0x0000004e3a9c bp 0x7ffd68111290 sp 0x7ffd68110a40
WRITE of size 134217733 at 0x6040000000f1 thread T0
#0 0x4e3a9b in __asan_memset /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27
#1 0x52bf24 in ok_png_read_data /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:814:17
#2 0x52bf24 in ok_png_decode2 /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:925
#3 0x52bf24 in ok_png_decode /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:981
#4 0x526274 in ok_png_read /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:159:12
#5 0x52609d in main /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/fuzzer_png.c:6:21
#6 0x7f33ff5b5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41a739 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/fuzzer_png+0x41a739)
0x6040000000f1 is located 0 bytes to the right of 33-byte region [0x6040000000d0,0x6040000000f1)
allocated by thread T0 here:
#0 0x4e4a67 in malloc /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
#1 0x529a2a in ok_png_read_data /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:756:34
#2 0x529a2a in ok_png_decode2 /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:925
#3 0x529a2a in ok_png_decode /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:981
#4 0x526274 in ok_png_read /home/t/Projects/afl/fuzzing-experiments/subjects/ok-file-formats/ok_png.c:159:12
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27 in __asan_memset
Shadow bytes around the buggy address:
0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 07
=>0x0c087fff8010: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00[01]fa
0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9877==ABORTING
A heap-buffer-overflow detected in ok_wav.c:613
Hello,
I found a heap buffer overflow in ok_wav.c: ok_wav_decode_ms_ima_adpcm_data, line 613.
In detail, my testcase's input size is 2, but in line 613, the code access input[2], so here is a accessing out of range.
The AddressSanitizer report is as follows:
`=================================================================
==2819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000032 at pc 0x561bab18f205 bp 0x7ffe9b880ec0 sp 0x7ffe9b880eb0
READ of size 1 at 0x602000000032 thread T0
#0 0x561bab18f204 in ok_wav_decode_ms_ima_adpcm_data (a.out+0x6204)
#1 0x561bab191550 in ok_wav_decode_data (a.out+0x8550)
#2 0x561bab192452 in ok_wav_decode_wav_file (a.out+0x9452)
#3 0x561bab193718 in ok_wav_decode (a.out+0xa718)
#4 0x561bab18bb43 in ok_wav_read_with_allocator (a.out+0x2b43)
#5 0x561bab18b9a4 in ok_wav_read (a.out+0x29a4)
#6 0x561bab1939de in main (a.out+0xa9de)
#7 0x7f719902e082 in __libc_start_main ../csu/libc-start.c:308
#8 0x561bab18b40d in _start (a.out+0x240d)
0x602000000032 is located 0 bytes to the right of 2-byte region [0x602000000030,0x602000000032)
allocated by thread T0 here:
#0 0x7f7199309808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x561bab18b6d7 in ok_stdlib_alloc (a.out+0x26d7)
#2 0x561bab18ee47 in ok_wav_decode_ms_ima_adpcm_data (a.out+0x5e47)
#3 0x561bab191550 in ok_wav_decode_data (a.out+0x8550)
#4 0x561bab192452 in ok_wav_decode_wav_file (a.out+0x9452)
#5 0x561bab193718 in ok_wav_decode (a.out+0xa718)
#6 0x561bab18bb43 in ok_wav_read_with_allocator (a.out+0x2b43)
#7 0x561bab18b9a4 in ok_wav_read (a.out+0x29a4)
#8 0x561bab1939de in main (a.out+0xa9de)
#9 0x7f719902e082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow (a.out+0x6204) in ok_wav_decode_ms_ima_adpcm_data
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa[02]fa fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2819==ABORTING`
The testcase trigger this I'll upload to my github soon.
heap-buffer-overflow in function ok_wav_decode_ms_adpcm_data() at ok_wav.c:793
Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Environment
Ubuntu 16.04, 64bit
Testcase
#include "ok_wav.h"
#include <stdio.h>
#include <stdlib.h>
int main() {
ok_wav wav = ok_wav_read(stdin, OK_WAV_DEFAULT_DECODE_FLAGS);
if (wav.error_code) {
fprintf(stderr, "Error code: %i\n", wav.error_code);
}
free(wav.data);
return 0;
}
Command
Compile test program:
$ gcc -g -o test_wav_read test_wav_read.c ok_wav.c
Compile test program with address sanitizer with this command:
$ gcc -fsanitize=address -g -o test_wav_read_asan test_wav_read.c ok_wav.c
Result
The result of running without ASAN:
$ ./test_wav_read < heap-buffer-overflow.wav
*** Error in `./test_wav_read': corrupted size vs. prev_size: 0x00000000018a5660 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777f5)[0x7fe95b9fe7f5]
/lib/x86_64-linux-gnu/libc.so.6(+0x80e0b)[0x7fe95ba07e0b]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fe95ba0b58c]
./test_wav_read[0x400936]
./test_wav_read[0x4023ac]
./test_wav_read[0x402793]
./test_wav_read[0x402db7]
./test_wav_read[0x40348f]
./test_wav_read[0x400b4e]
./test_wav_read[0x400aa8]
./test_wav_read[0x4007e8]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fe95b9a7840]
./test_wav_read[0x4006e9]
======= Memory map: ========
00400000-00405000 r-xp 00000000 08:01 996278 /home/hdthky/libraries/ok-file-formats/test_wav_read
00604000-00605000 r--p 00004000 08:01 996278 /home/hdthky/libraries/ok-file-formats/test_wav_read
00605000-00606000 rw-p 00005000 08:01 996278 /home/hdthky/libraries/ok-file-formats/test_wav_read
018a4000-018c6000 rw-p 00000000 00:00 0 [heap]
7fe954000000-7fe954021000 rw-p 00000000 00:00 0
7fe954021000-7fe958000000 ---p 00000000 00:00 0
7fe95b771000-7fe95b787000 r-xp 00000000 08:01 398755 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe95b787000-7fe95b986000 ---p 00016000 08:01 398755 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe95b986000-7fe95b987000 rw-p 00015000 08:01 398755 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe95b987000-7fe95bb47000 r-xp 00000000 08:01 416478 /lib/x86_64-linux-gnu/libc-2.23.so
7fe95bb47000-7fe95bd47000 ---p 001c0000 08:01 416478 /lib/x86_64-linux-gnu/libc-2.23.so
7fe95bd47000-7fe95bd4b000 r--p 001c0000 08:01 416478 /lib/x86_64-linux-gnu/libc-2.23.so
7fe95bd4b000-7fe95bd4d000 rw-p 001c4000 08:01 416478 /lib/x86_64-linux-gnu/libc-2.23.so
7fe95bd4d000-7fe95bd51000 rw-p 00000000 00:00 0
7fe95bd51000-7fe95bd77000 r-xp 00000000 08:01 416489 /lib/x86_64-linux-gnu/ld-2.23.so
7fe95bf58000-7fe95bf5b000 rw-p 00000000 00:00 0
7fe95bf75000-7fe95bf76000 rw-p 00000000 00:00 0
7fe95bf76000-7fe95bf77000 r--p 00025000 08:01 416489 /lib/x86_64-linux-gnu/ld-2.23.so
7fe95bf77000-7fe95bf78000 rw-p 00026000 08:01 416489 /lib/x86_64-linux-gnu/ld-2.23.so
7fe95bf78000-7fe95bf79000 rw-p 00000000 00:00 0
7ffffd2bc000-7ffffd2dd000 rw-p 00000000 00:00 0 [stack]
7ffffd374000-7ffffd376000 r--p 00000000 00:00 0 [vvar]
7ffffd376000-7ffffd378000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted (core dumped)
Information obtained by using ASAN:
$ ./test_wav_read_asan < heap-buffer-overflow.wav
=================================================================
==5269==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b0000060c8 at pc 0x000000406358 bp 0x7ffe04372420 sp 0x7ffe04372410
WRITE of size 2 at 0x62b0000060c8 thread T0
#0 0x406357 in ok_wav_decode_ms_adpcm_data /home/hdthky/libraries/ok-file-formats/ok_wav.c:793
#1 0x406ec9 in ok_wav_decode_data /home/hdthky/libraries/ok-file-formats/ok_wav.c:896
#2 0x407d22 in ok_wav_decode_wav_file /home/hdthky/libraries/ok-file-formats/ok_wav.c:1017
#3 0x408cd6 in ok_wav_decode /home/hdthky/libraries/ok-file-formats/ok_wav.c:1181
#4 0x40164f in ok_wav_read_with_allocator /home/hdthky/libraries/ok-file-formats/ok_wav.c:169
#5 0x401517 in ok_wav_read /home/hdthky/libraries/ok-file-formats/ok_wav.c:158
#6 0x400f71 in main /home/hdthky/libraries/ok-file-formats/test_wav_read.c:6
#7 0x7faf1b40583f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#8 0x400dd8 in _start (/home/hdthky/libraries/ok-file-formats/test_wav_read_asan+0x400dd8)
0x62b0000060c8 is located 0 bytes to the right of 24264-byte region [0x62b000000200,0x62b0000060c8)
allocated by thread T0 :
#0 0x7faf1b847602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40125e in ok_stdlib_alloc /home/hdthky/libraries/ok-file-formats/ok_wav.c:93
#2 0x401436 in ok_malloc_wav_data /home/hdthky/libraries/ok-file-formats/ok_wav.c:127
#3 0x405899 in ok_wav_decode_ms_adpcm_data /home/hdthky/libraries/ok-file-formats/ok_wav.c:729
#4 0x406ec9 in ok_wav_decode_data /home/hdthky/libraries/ok-file-formats/ok_wav.c:896
#5 0x407d22 in ok_wav_decode_wav_file /home/hdthky/libraries/ok-file-formats/ok_wav.c:1017
#6 0x408cd6 in ok_wav_decode /home/hdthky/libraries/ok-file-formats/ok_wav.c:1181
#7 0x40164f in ok_wav_read_with_allocator /home/hdthky/libraries/ok-file-formats/ok_wav.c:169
#8 0x401517 in ok_wav_read /home/hdthky/libraries/ok-file-formats/ok_wav.c:158
#9 0x400f71 in main /home/hdthky/libraries/ok-file-formats/test_wav_read.c:6
#10 0x7faf1b40583f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hdthky/libraries/ok-file-formats/ok_wav.c:793 ok_wav_decode_ms_adpcm_data
Shadow bytes around the buggy address:
0x0c567fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c10: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x0c567fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==5269==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_wav_decode_ms_adpcm_data() at ok_wav.c:793
PoC
PoC file is this.
A heap-buffer-overflow detected in ok_wav.c:627
Hello,
I found a heap buffer overflow in ok_wav.c: ok_wav_decode_ms_ima_adpcm_data, line 627.
In detail, my testcase's input size < 4, but in line 627, the for loop access input[2] and input[3], so here is a accessing out of range.
The AddressSanitizer report is as follows:
`=================================================================
==7463==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000038 at pc 0x55b19c358318 bp 0x7ffd9c5cc8d0 sp 0x7ffd9c5cc8c0
READ of size 1 at 0x602000000038 thread T0
#0 0x55b19c358317 in ok_wav_decode_ms_ima_adpcm_data ok_wav.c:627
#1 0x55b19c35a4f5 in ok_wav_decode_data ok_wav.c:893
#2 0x55b19c35b3f7 in ok_wav_decode_wav_file ok_wav.c:1017
#3 0x55b19c35c6bd in ok_wav_decode ok_wav.c:1181
#4 0x55b19c354b43 in ok_wav_read_with_allocator ok_wav.c:169
#5 0x55b19c3549a4 in ok_wav_read ok_wav.c:158
#6 0x55b19c35c983 in main wav.c:5
#7 0x7fba9c757082 in __libc_start_main ../csu/libc-start.c:308
#8 0x55b19c35440d in _start (/home/yurenjin/wavana/wavvuln+0x240d)
0x602000000038 is located 0 bytes to the right of 8-byte region [0x602000000030,0x602000000038)
allocated by thread T0 here:
#0 0x7fba9ca32808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55b19c3546d7 in ok_stdlib_alloc ok_wav.c:93
#2 0x55b19c357e47 in ok_wav_decode_ms_ima_adpcm_data ok_wav.c:587
#3 0x55b19c35a4f5 in ok_wav_decode_data ok_wav.c:893
#4 0x55b19c35b3f7 in ok_wav_decode_wav_file ok_wav.c:1017
#5 0x55b19c35c6bd in ok_wav_decode ok_wav.c:1181
#6 0x55b19c354b43 in ok_wav_read_with_allocator ok_wav.c:169
#7 0x55b19c3549a4 in ok_wav_read ok_wav.c:158
#8 0x55b19c35c983 in main wav.c:5
#9 0x7fba9c757082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ok_wav.c:627 in ok_wav_decode_ms_ima_adpcm_data
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa 00[fa]fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==7463==ABORTING`
The testcase trigger this I'll upload to my github soon.
Is this library could decode png to bmp?
I know ok_png_read() can get png info, but how can I get bitmap data and write it to a file?
heap-buffer-overflow in /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:301 ok_mo_decode2()
Test Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Test Program
#include <stdio.h>
#include "ok_mo.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_mo *image = ok_mo_read(file);
fclose(file);
ok_mo_free(image);
return 0;
}$ gcc -o mo_decode mo_decode.c ok_mo.h ok_mo.c
Asan Debug Information
➜ ok-file-formats git:(master) ✗ ./mo_decode-asan ./mo_out/03-heap-buffer-overflow.mo
=================================================================
==31120==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef71 at pc 0x0000004058ae bp 0x7ffc8b9cb940 sp 0x7ffc8b9cb930
READ of size 1 at 0x60200000ef71 thread T0
#0 0x4058ad in ok_mo_decode2 /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:301
#1 0x4058ad in ok_mo_decode /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:96
#2 0x4058ad in ok_mo_read /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:145
#3 0x401074 in main /home/moonagirl/megic_afl/ok-file-formats/mo_decode.c:6
#4 0x7f526eb0c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x4011c8 in _start (/home/moonagirl/megic_afl/ok-file-formats/mo_decode-asan+0x4011c8)
0x60200000ef71 is located 0 bytes to the right of 1-byte region [0x60200000ef70,0x60200000ef71)
allocated by thread T0 here:
#0 0x7f526ef4e602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40511b in ok_mo_decode2 /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:285
#2 0x40511b in ok_mo_decode /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:96
#3 0x40511b in ok_mo_read /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:145
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moonagirl/megic_afl/ok-file-formats/ok_mo.c:301 ok_mo_decode2
Shadow bytes around the buggy address:
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9df0: fa fa 00 fa fa fa 01 fa fa fa 00 00 fa fa 00 00
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==31120==ABORTINGPOC file
https://github.com/moonAgirl/Bugs/blob/master/ok-file-formats/2018-12-31-03-heap-buffer-overflow.mo
Submit wrong.
heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:712:13
Version
Environment
Ubuntu 18.04,64 bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_png.c"
#include "ok_png.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA );
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
Compile test program:
$ gcc -g -o main main.c ok_png.h
Compile test program with address sanitizer with this command:
$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
Result
The result of running without ASAN:
$ ./main heap-buffer-overflow-3.png
free(): invalid pointer
Aborted (core dumped)
Information obtained by using ASAN:
$ ./asanpng heap-buffer-overflow-3.png
==8813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002680 at pc 0x0000004e48dc bp 0x7ffe51b2f890 sp 0x7ffe51b2f888
WRITE of size 4 at 0x621000002680 thread T0
#0 0x4e48db in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:712:13
#1 0x4e48db in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
#2 0x4e48db in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4e48db in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
0x621000002680 is located 384 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
#0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
#1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
#2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:712:13 in ok_png_transform_scanline
Shadow bytes around the buggy address:
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff84d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==8813==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:712:13.
Poc
Poc file is this.
heap-buffer-overflow in /ok-file-formats/ok_csv.c:448 ok_csv_decode2()
Test Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Test Program
#include <stdio.h>
#include "ok_csv.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_csv *image = ok_csv_read(file);
fclose(file);
ok_csv_free(image);
return 0;
}$ gcc -o csv_decode csv_decode.c ok_csv.h ok_csv.c
Asan Debug Information
➜ ok-file-formats git:(master) ✗ ./csv_decode-asan ./csv_out/2018-12-31-heap-buffer-overflow.csv
=================================================================
==83695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff1 at pc 0x00000040e0ae bp 0x7fff4ea94bc0 sp 0x7fff4ea94bb0
WRITE of size 1 at 0x60200000eff1 thread T0
#0 0x40e0ad in ok_csv_decode2 /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:448
#1 0x411baf in ok_csv_decode /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:241
#2 0x411baf in ok_csv_read /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:177
#3 0x400d7a in main /home/moonagirl/megic_afl/ok-file-formats/csv_decode.c:6
#4 0x7f33246cd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x400e88 in _start (/home/moonagirl/megic_afl/ok-file-formats/csv_decode-asan+0x400e88)
0x60200000eff1 is located 0 bytes to the right of 1-byte region [0x60200000eff0,0x60200000eff1)
allocated by thread T0 here:
#0 0x7f3324b0f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x403e82 in ok_csv_decode2 /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:422
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:448 ok_csv_decode2
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==83695==ABORTINGPOC file
https://github.com/moonAgirl/Bugs/blob/master/ok-file-formats/2018-12-31-02-heap-buffer-overflow.csv
Byte array instead of file as input
First of all, thanks for making this library available! For a project of mine, I am already succesfully using it to load images. But now I need also need to decode a uint8_t based byte array directly. Do you have a suggestion how you would go about that using your library?
heap-buffer-overflow in ok_csv_circular_buffer_read() at ok_csv.c:95
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_csv_circular_buffer_read() at ok_csv.c:95
Version
dev version, git clone https://github.com/brackeen/ok-file-formats.git
Environment
Ubuntu 18.04, 64bit
Reproduce
test program
int main(int argc, char *argv[]) {
FILE *file = fopen(argv[1], "rb");
ok_csv *csv = ok_csv_read(file);
fclose(file);
if (csv->error_message) {
fprintf(stderr, "%s\n", csv->error_message);
}
ok_csv_free(csv);
return 0;
}Compile test program with Address Sanitizer:
gcc -g -fsanitize=address main-asan main.c ok_csv.c ok_csv.h
Asan Report
$ ./main-asan ./poc.csv
=================================================================
==58179==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000480 at pc 0x7f4834e5577a bp 0x7fff1198aed0 sp 0x7fff1198a678
WRITE of size 181 at 0x606000000480 thread T0
#0 0x7f4834e55779 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
#1 0x55fd598bd79a in ok_csv_circular_buffer_read /home/au9/ok-file-format/ok_csv.c:95
#2 0x55fd598bf52d in ok_csv_decode2 /home/au9/ok-file-format/ok_csv.c:484
#3 0x55fd598bdf1d in ok_csv_decode /home/au9/ok-file-format/ok_csv.c:241
#4 0x55fd598bdd4a in ok_csv_read /home/au9/ok-file-format/ok_csv.c:177
#5 0x55fd598bd0c2 in main /home/au9/ok-file-format/main.c:8
#6 0x7f4834a0cbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#7 0x55fd598bcf89 in _start (/home/au9/ok-file-format/main-asan+0xf89)
0x606000000480 is located 0 bytes to the right of 64-byte region [0x606000000440,0x606000000480)
allocated by thread T0 here:
#0 0x7f4834ebab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x55fd598bf4e1 in ok_csv_decode2 /home/au9/ok-file-format/ok_csv.c:479
#2 0x55fd598bdf1d in ok_csv_decode /home/au9/ok-file-format/ok_csv.c:241
#3 0x55fd598bdd4a in ok_csv_read /home/au9/ok-file-format/ok_csv.c:177
#4 0x55fd598bd0c2 in main /home/au9/ok-file-format/main.c:8
#5 0x7f4834a0cbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
Shadow bytes around the buggy address:
0x0c0c7fff8040: 00 00 00 00 00 00 00 03 fa fa fa fa 00 00 00 00
0x0c0c7fff8050: 00 00 00 05 fa fa fa fa 00 00 00 00 00 00 05 fa
0x0c0c7fff8060: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa
0x0c0c7fff8070: 00 00 00 00 00 00 00 06 fa fa fa fa 00 00 00 00
0x0c0c7fff8080: 00 00 00 05 fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c7fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==58179==ABORTING
PoC
Load image data into preallocated buffers BUG
when I use ok_png_read_to_buffer() or ok_jpg_read_to_buffer() to decode image and storage raw data in a buffer , I can't get the data in there, and error_message is empty.
I find something wrong in your code, maybe I use it wrong.
In the ok_png.c line 750, you check the dst_buffer and create it. But if the dst_buffer is preallocated, you do nothing. So I add a else case like this else{png->data = decoder->dst_buffer;}, then it's correct.
It's the same case in the ok_jpg.c line 1586.
Excuse me for bad english!
heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:494:20
Version
Environment
Ubuntu 18.04,64 bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_png.c"
#include "ok_png.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA );
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
Compile test program:
$ gcc -g -o main main.c ok_png.h
Compile test program with address sanitizer with this command:
$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
Result
The result of running without ASAN:
$ ./asanpng heap-buffer-overflow-7.png
Segmentation fault (core dumped)
Information obtained by using ASAN:
$ ./asanpng heap-buffer-overflow-7.png
=================================================================
==1998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004e3d62 bp 0x7ffe6e5d0b90 sp 0x7ffe6e5d0b88
WRITE of size 1 at 0x621000002500 thread T0
#0 0x4e3d61 in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:494:20
#1 0x4e3d61 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
#2 0x4e3d61 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4e3d61 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
#0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
#1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
#2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:494:20 in ok_png_transform_scanline
Shadow bytes around the buggy address:
0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1998==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:494:20
Poc
Poc file is this.
heap-buffer-overflow in function ok_jpg_decode_block_progressive() at ok_jpg.c:1054
Describe
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_jpg_decode_block_progressive() at ok_jpg.c:1054
Reproduce
test program
#include <stdio.h>
#include <stdlib.h>
#include "ok_mo.h"
#include "ok_jpg.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA);
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Tested in Ubuntu 18.04, 64bit.
Compile test program with address sanitizer with this command:
gcc -g -fsanitize=address -fno-omit-frame-pointer -O1 -o Asanjpg main.c ok_jpg.c ok_jpg.hYou can get program here.
ASan Reports
./Asanjpg crash/jpg-heap-buffer-overflow-2Get ASan reports
==78746==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000011618 at pc 0x556e3ec8f64c bp 0x7ffca25f9440 sp 0x7ffca25f9430
WRITE of size 2 at 0x631000011618 thread T0
#0 0x556e3ec8f64b in ok_jpg_decode_block_progressive /root/study/ok-file-formats/afl-test/ok_jpg.c:1054
#1 0x556e3ec90c16 in ok_jpg_decode_scan /root/study/ok-file-formats/afl-test/ok_jpg.c:1217
#2 0x556e3ec95c60 in ok_jpg_read_sos /root/study/ok-file-formats/afl-test/ok_jpg.c:1734
#3 0x556e3ec96d3c in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1900
#4 0x556e3ec97605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990
#5 0x556e3ec868a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268
#6 0x556e3ec8671b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257
#7 0x556e3ec85d5e in main /root/study/ok-file-formats/afl-test/main.c:8
#8 0x7ff14d6d7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#9 0x556e3ec85b29 in _start (/root/study/ok-file-formats/afl-test/Asanjpg/Asanjpg+0x2b29)
0x631000011618 is located 9 bytes to the right of 69135-byte region [0x631000000800,0x63100001160f)
allocated by thread T0 here:
#0 0x7ff14db85b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x556e3ec85f00 in ok_stdlib_alloc /root/study/ok-file-formats/afl-test/ok_jpg.c:55
#2 0x556e3ec94b20 in ok_jpg_read_sof /root/study/ok-file-formats/afl-test/ok_jpg.c:1595
#3 0x556e3ec96ac2 in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1884
#4 0x556e3ec97605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990
#5 0x556e3ec868a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268
#6 0x556e3ec8671b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257
#7 0x556e3ec85d5e in main /root/study/ok-file-formats/afl-test/main.c:8
#8 0x7ff14d6d7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/study/ok-file-formats/afl-test/ok_jpg.c:1054 in ok_jpg_decode_block_progressive
Shadow bytes around the buggy address:
0x0c627fffa270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa2c0: 00 07 fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==78746==ABORTINGPoc
Poc file is here.
Fuzzer & Testcase
Fuzzer is AFL.
Testcase is your testcase in dir ok-file-formats/test/jpg.
heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:641
Version
Environment
Ubuntu 18.04,64 bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_png.c"
#include "ok_png.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA );
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
Compile test program:
$ gcc -g -o main main.c ok_png.h
Compile test program with address sanitizer with this command:
$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
Result
The result of running without ASAN:
$ ./main heap-buffer-overflow-4.png
double free or corruption (out)
Aborted (core dumped)
Information obtained by using ASAN:
$ ./asanpng heap-buffer-overflow-4.png
=================================================================
==79572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c980 at pc 0x5568c463aab9 bp 0x7ffd28877590 sp 0x7ffd28877580
WRITE of size 1 at 0x62100001c980 thread T0
#0 0x5568c463aab8 in ok_png_transform_scanline /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:641
#1 0x5568c463cb5a in ok_png_read_data /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:895
#2 0x5568c463d15d in ok_png_decode2 /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:971
#3 0x5568c463d608 in ok_png_decode /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:1025
#4 0x5568c46362f3 in ok_png_read_with_allocator /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:188
#5 0x5568c46361cf in ok_png_read /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:177
#6 0x5568c46427d7 in main /home/xrz/afl++/ok-file-formats-png/issues/main.c:8
#7 0x7f98b180bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x5568c4635d79 in _start (/home/xrz/afl++/ok-file-formats-png/issues/heap-buffer-overflow-4/asanpng+0x1d79)
0x62100001c980 is located 128 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
allocated by thread T0 here:
#0 0x7f98b1ca1e80 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6e80)
#1 0x5568c4635e9b in ok_stdlib_alloc /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:58
#2 0x5568c463bc7e in ok_png_read_data /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:774
#3 0x5568c463d15d in ok_png_decode2 /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:971
#4 0x5568c463d608 in ok_png_decode /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:1025
#5 0x5568c46362f3 in ok_png_read_with_allocator /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:188
#6 0x5568c46361cf in ok_png_read /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:177
#7 0x5568c46427d7 in main /home/xrz/afl++/ok-file-formats-png/issues/main.c:8
#8 0x7f98b180bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:641 in ok_png_transform_scanline
Shadow bytes around the buggy address:
0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fffb930:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==79572==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:641.
Poc
Poc file is this.
heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:533:20
Version
Environment
Ubuntu 18.04,64 bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_png.c"
#include "ok_png.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA );
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
Compile test program:
$ gcc -g -o main main.c ok_png.h
Compile test program with address sanitizer with this command:
$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
Result
The result of running without ASAN:
$ ./main heap-buffer-overflow-5.png
free(): invalid pointer
Aborted (core dumped)
Information obtained by using ASAN:
$ ./asanpng heap-buffer-overflow-5.png
=================================================================
==14406==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004e363f bp 0x7ffdc4189f10 sp 0x7ffdc4189f08
WRITE of size 1 at 0x621000002500 thread T0
#0 0x4e363e in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:533:20
#1 0x4e363e in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
#2 0x4e363e in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4e363e in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7f574c1aa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
#0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
#1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
#2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7f574c1aa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:533:20 in ok_png_transform_scanline
Shadow bytes around the buggy address:
0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==14406==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:533:20.
Poc
Poc file is this.
heap-buffer-overflow in function ok_jpg_decode_block_subsequent_scan() at ok_jpg.c:1102
Describe
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_jpg_decode_block_subsequent_scan() at ok_jpg.c:1102
Reproduce
test program
#include <stdio.h>
#include <stdlib.h>
#include "ok_mo.h"
#include "ok_jpg.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_jpg image = ok_jpg_read(file, OK_JPG_COLOR_FORMAT_RGBA);
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Tested in Ubuntu 18.04, 64bit.
Compile test program with address sanitizer with this command:
gcc -g -fsanitize=address -fno-omit-frame-pointer -O1 -o Asanjpg main.c ok_jpg.c ok_jpg.hYou can get program here.
ASan Reports
./Asanjpg crash/jpg-heap-buffer-overflow-1Get ASan reports
==98287==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000039680 at pc 0x562394639b54 bp 0x7ffee24654e0 sp 0x7ffee24654d0
READ of size 2 at 0x631000039680 thread T0
#0 0x562394639b53 in ok_jpg_decode_block_subsequent_scan /root/study/ok-file-formats/afl-test/ok_jpg.c:1102
#1 0x56239463b11f in ok_jpg_decode_scan /root/study/ok-file-formats/afl-test/ok_jpg.c:1238
#2 0x56239463fc60 in ok_jpg_read_sos /root/study/ok-file-formats/afl-test/ok_jpg.c:1734
#3 0x562394640d3c in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1900
#4 0x562394641605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990
#5 0x5623946308a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268
#6 0x56239463071b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257
#7 0x56239462fd5e in main /root/study/ok-file-formats/afl-test/main.c:8
#8 0x7fe63f9a4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#9 0x56239462fb29 in _start (/root/study/ok-file-formats/afl-test/Asanjpg/Asanjpg+0x2b29)
0x631000039680 is located 113 bytes to the right of 69135-byte region [0x631000028800,0x63100003960f)
allocated by thread T0 here:
#0 0x7fe63fe52b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x56239462ff00 in ok_stdlib_alloc /root/study/ok-file-formats/afl-test/ok_jpg.c:55
#2 0x56239463eb20 in ok_jpg_read_sof /root/study/ok-file-formats/afl-test/ok_jpg.c:1595
#3 0x562394640ac2 in ok_jpg_decode2 /root/study/ok-file-formats/afl-test/ok_jpg.c:1884
#4 0x562394641605 in ok_jpg_decode /root/study/ok-file-formats/afl-test/ok_jpg.c:1990
#5 0x5623946308a4 in ok_jpg_read_with_allocator /root/study/ok-file-formats/afl-test/ok_jpg.c:268
#6 0x56239463071b in ok_jpg_read /root/study/ok-file-formats/afl-test/ok_jpg.c:257
#7 0x56239462fd5e in main /root/study/ok-file-formats/afl-test/main.c:8
#8 0x7fe63f9a4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/study/ok-file-formats/afl-test/ok_jpg.c:1102 in ok_jpg_decode_block_subsequent_scan
Shadow bytes around the buggy address:
0x0c627ffff280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff2c0: 00 07 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c627ffff2d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==98287==ABORTINGPoc
Poc file is here.
Fuzzer & Testcase
Fuzzer is AFL.
Testcase is your testcase in dir ok-file-formats/test/jpg.
A Endless-Loop detected in ok_wav.c:ok_wav_decode_caf_file
Hello,
A endless-loop detected in ok_wav_decode_caf_file by fuzzing.
In detail, my testcase's chunk_length is 0x64, and after casting input_user_data to FILE*, it access a wrong memory,
and the memory here has data fit fseek(input_user_data, 0x64, SEEK_CUR), so the function ok_seek always return true
In the loop in ok_wav_decode_caf_file, while(true), the chunk_header check always goto else branch, so a endless loop triggered in this case.
The gdb info is as follows:
p chunk_length
$13 = 0x64
p decoder->input_user_data
$19 = (void*) 0x55555555c2a0
x/32gx 0x55555555c2a0+0x64
0x55555555c304 0xf7e1a6a000000000 0x0000000300007fff ....
The testcase I'll upload soon.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.