Dirac / Bugs / #56 heap overflow (write) in dirac::ArithCodecBase::ReadAllData

heap overflow (write) in dirac::ArithCodecBase::ReadAllData

#56 heap overflow (write) in dirac::ArithCodecBase::ReadAllData

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2017-07-01

Created: 2017-07-01

Creator: Hanno Böck

Private: No

The attached sample file will cause a heap overflow in the dirac decoder. This was found with the help of the fuzzing tool american fuzzy lop.

Here's a stack trace from address sanitizer:

==4153==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000019ef at pc 0x00000056f150 bp 0x7fff5b770e80 sp 0x7fff5b770e78
WRITE of size 1 at 0x6020000019ef thread T0
    #0 0x56f14f in dirac::ArithCodecBase::ReadAllData(int) /f/dirac-1.0.2/libdirac_common/arith_codec.cpp:163:37
    #1 0x56f14f in dirac::ArithCodecBase::InitDecoder(int) /f/dirac-1.0.2/libdirac_common/arith_codec.cpp:134
    #2 0x60548e in dirac::ArithCodec<dirac::CoeffArray>::Decompress(dirac::CoeffArray&, int) /f/dirac-1.0.2/libdirac_decoder/../libdirac_common/arith_codec.h:451:9
    #3 0x60548e in dirac::CompDecompressor::Decompress(dirac::ComponentByteIO*, dirac::CoeffArray&, dirac::SubbandList&) /f/dirac-1.0.2/libdirac_decoder/comp_decompress.cpp:106
    #4 0x568038 in dirac::PictureDecompressor::Decompress(dirac::ParseUnitByteIO&, dirac::PictureBuffer&) /f/dirac-1.0.2/libdirac_decoder/picture_decompress.cpp:170:28
    #5 0x546ebd in dirac::SequenceDecompressor::DecompressNextPicture(dirac::ParseUnitByteIO*) /f/dirac-1.0.2/libdirac_decoder/seq_decompress.cpp:128:45
    #6 0x5307e6 in dirac::DiracParser::Parse() /f/dirac-1.0.2/libdirac_decoder/dirac_cppparser.cpp:223:54
    #7 0x515963 in dirac_parse /f/dirac-1.0.2/libdirac_decoder/dirac_parser.cpp:334:38
    #8 0x513d17 in DecodeDirac(char const*, char const*) /f/dirac-1.0.2/decoder/decmain.cpp:145:17
    #9 0x513d17 in main /f/dirac-1.0.2/decoder/decmain.cpp:303
    #10 0x7f6e7b7bc1d0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r2/work/glibc-2.24/csu/../csu/libc-start.c:289
    #11 0x41ce29 in _start (/r/dirac/dirac_decoder+0x41ce29)

0x6020000019ef is located 1 bytes to the left of 1-byte region [0x6020000019f0,0x6020000019f1)
allocated by thread T0 here:
    #0 0x50f3b0 in operator new[](unsigned long) (/r/dirac/dirac_decoder+0x50f3b0)
    #1 0x56ee2e in dirac::ArithCodecBase::ReadAllData(int) /f/dirac-1.0.2/libdirac_common/arith_codec.cpp:161:28
    #2 0x56ee2e in dirac::ArithCodecBase::InitDecoder(int) /f/dirac-1.0.2/libdirac_common/arith_codec.cpp:134
    #3 0x568038 in dirac::PictureDecompressor::Decompress(dirac::ParseUnitByteIO&, dirac::PictureBuffer&) /f/dirac-1.0.2/libdirac_decoder/picture_decompress.cpp:170:28
    #4 0x546ebd in dirac::SequenceDecompressor::DecompressNextPicture(dirac::ParseUnitByteIO*) /f/dirac-1.0.2/libdirac_decoder/seq_decompress.cpp:128:45

Discussion

Hanno Böck - 2017-07-01

example file attached

heap-oob-write.drc

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

heap overflow (write) in dirac::ArithCodecBase::ReadAllData

Group

Searches

Help

#56 heap overflow (write) in dirac::ArithCodecBase::ReadAllData

Discussion