Menu
▾
▴
1 Attachments
#299 heap-buffer-overflow in function LoadRGB of PluginDDS.cpp
There is a heap-buffer-overflow in function LoadRGB of PluginDDS.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.
Asan log as below:
==32112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4103e04 at pc 0x08087ebd bp 0xffc70e68 sp 0xffc70a40
WRITE of size 91 at 0xf4103e04 thread T0
#0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc)
#1 0x883a341 in _ReadProc(void*, unsigned int, unsigned int, void*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19
#2 0x815b75a in LoadRGB(tagDDSURFACEDESC2 const*, FreeImageIO*, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:649:4
#3 0x815b75a in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9
#4 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
#5 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
#6 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8
#7 0xf71fcfb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16
#8 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5)
0xf4103e04 is located 0 bytes to the right of 1412-byte region [0xf4103880,0xf4103e04)
allocated by thread T0 here:
#0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675)
#1 0x812aa32 in FreeImage_Aligned_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19
#2 0x812aa32 in FreeImage_AllocateBitmap(int, unsigned char*, unsigned int, FREE_IMAGE_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26
#3 0x812b63f in FreeImage_Allocate /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:487:9
#4 0x815b159 in LoadRGB(tagDDSURFACEDESC2 const*, FreeImageIO*, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp
#5 0x815b159 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9
#6 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
#7 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
#8 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8
#9 0xf71fcfb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/FreeImage/test+0x8087ebc) in fread
Shadow bytes around the buggy address:
0x3e820770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e820780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e820790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e8207a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e8207b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e8207c0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8207d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8207e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8207f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e820800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e820810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==32112==ABORTING
fixed with patch https://sourceforge.net/p/freeimage/patches/143/