Menu

#300 heap-buffer-overflow in function C_IStream::read of PluginEXR.cpp

None
pending
Hervé Drolon
None
5
2021-04-04
2019-12-04
galycannon
No

There is a heap-buffer-overflow in function C_IStream::read of PluginEXR.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.
Asan log as below:

==2194==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3b06d00 at pc 0x08087ebd bp 0xffe389d8 sp 0xffe385b0
WRITE of size 329845 at 0xf3b06d00 thread T0
    #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc)
    #1 0x883a341 in _ReadProc(void*, unsigned int, unsigned int, void*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19
    #2 0x816a96f in C_IStream::read(char*, int) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:66:26
    #3 0x851cd1f in Imf_2_2::(anonymous namespace)::readPixelData(Imf_2_2::InputStreamMutex*, Imf_2_2::ScanLineInputFile::Data*, int, char*&, int&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:440:25
    #4 0x8519bd7 in Imf_2_2::(anonymous namespace)::newLineBufferTask(IlmThread_2_2::TaskGroup*, Imf_2_2::InputStreamMutex*, Imf_2_2::ScanLineInputFile::Data*, int, int, int, Imf_2_2::OptimizationMode) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1033:14
    #5 0x8519bd7 in Imf_2_2::ScanLineInputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1612:44
    #6 0x849dba8 in Imf_2_2::InputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:815:23
    #7 0x81638a2 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:428:9
    #8 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #9 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #10 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #11 0xf71fefb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16
    #12 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5)

0xf3b06d00 is located 0 bytes to the right of 6144-byte region [0xf3b05500,0xf3b06d00)
allocated by thread T0 here:
    #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675)
    #1 0x8510c1f in Imf_2_2::EXRAllocAligned(unsigned int, unsigned int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfSystemSpecific.h:139:12
    #2 0x8510c1f in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1132:58
    #3 0x8511e19 in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190:5
    #4 0x8496904 in Imf_2_2::InputFile::initialize() /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:553:32
    #5 0x8498d15 in Imf_2_2::InputFile::InputFile(Imf_2_2::IStream&, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:450:13
    #6 0x8161d1f in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:193:18
    #7 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #8 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #9 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #10 0xf71fefb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/FreeImage/test+0x8087ebc) in fread
Shadow bytes around the buggy address:
  0x3e760d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e760da0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2194==ABORTING
1 Attachments
heap_buffer_overflow.exr

Discussion

  • Mihail Naydenov

    Mihail Naydenov - 2021-01-28

    As of Jan 2021 I can't reproduce using MSVC ASAN.
    OpenEXR reports an image read error.

     

  • Hervé Drolon

    Hervé Drolon - 2021-04-04
    • status: open --> pending
    • assigned_to: Hervé Drolon
    • Group: -->
     

  • Hervé Drolon

    Hervé Drolon - 2021-04-04

    fixed in the SVN version

     

Log in to post a comment.

MongoDB Logo MongoDB