Menu

#18 heap-buffer-overflow icns2png.c:359 ExtractAndDescribeIconFamilyFile

fixed
Paul Wise
security (1)
9
2017-09-06
2017-08-22
Henri Salo
No

Credit: Henri Salo from Nixu Corporation
Fuzzer: afl 2.49b + afl-utils

/home/hsalo/builds/libicns/0.8.1/bin/icns2png -x -s 16 -o /dev/null ~/icns2png-heap-buffer-overflow-ExtractAndDescribeIconFamilyFile.icns
=================================================================
==7580==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff6 at pc 0x409e1d bp 0x7ffc9e0703b0 sp 0x7ffc9e0703a8
WRITE of size 1 at 0x60600000eff6 thread T0
    #0 0x409e1c in ExtractAndDescribeIconFamilyFile /home/hsalo/src/libicns-0.8.1/icnsutils/icns2png.c:359
    #1 0x4026df in main /home/hsalo/src/libicns-0.8.1/icnsutils/icns2png.c:263
    #2 0x7ff52e25db44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #3 0x402b5c (/home/hsalo/builds/libicns/0.8.1/bin/icns2png+0x402b5c)

0x60600000eff6 is located 0 bytes to the right of 54-byte region [0x60600000efc0,0x60600000eff6)
allocated by thread T0 here:
    #0 0x7ff52eabc73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x408535 in ExtractAndDescribeIconFamilyFile /home/hsalo/src/libicns-0.8.1/icnsutils/icns2png.c:330
    #2 0x43d2f9 (/home/hsalo/builds/libicns/0.8.1/bin/icns2png+0x43d2f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/libicns-0.8.1/icnsutils/icns2png.c:359 ExtractAndDescribeIconFamilyFile
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00[06]fa
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==7580==ABORTING
1 Attachments
icns2png-heap-buffer-overflow-ExtractAndDescribeIconFamilyFile.icns

Discussion

  • Henri Salo

    Henri Salo - 2017-08-22

    Backtrace with the latest Git code:

    /home/hsalo/builds/icns/2017-08-22/bin/icns2png -x -s 16 -o /dev/null ~/icns2png-heap-buffer-overflow-ExtractAndDescribeIconFamilyFile.icns
----------------------------------------------------
Reading icns family from /home/hsalo/icns2png-heap-buffer-overflow-ExtractAndDescribeIconFamilyFile.icns...
 Extracting icons from /icns2png-heap-buffer-overflow-ExtractAndDescribeIconFamilyFile.icns...
=================================================================
==15585==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000e084 at pc 0x4291d1 bp 0x7ffc7860c680 sp 0x7ffc7860c678
READ of size 1 at 0x61900000e084 thread T0
    #0 0x4291d0 in icns_decode_rle24_data /home/hsalo/src/icns-code/src/icns_rle24.c:132
    #1 0x40d942 in icns_get_image_from_element /home/hsalo/src/icns-code/src/icns_image.c:472
    #2 0x410a5f in icns_get_image32_with_mask_from_family /home/hsalo/src/icns-code/src/icns_image.c:94
    #3 0x405413 in ExtractAndDescribeIconFamily /home/hsalo/src/icns-code/icnsutils/icns2png.c:667
    #4 0x408a84 in ExtractAndDescribeIconFamilyFile /home/hsalo/src/icns-code/icnsutils/icns2png.c:445
    #5 0x4027cf in main /home/hsalo/src/icns-code/icnsutils/icns2png.c:264
    #6 0x7fc8b60c3b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x402c0c (/home/hsalo/builds/icns/2017-08-22/bin/icns2png+0x402c0c)

0x61900000e084 is located 0 bytes to the right of 1028-byte region [0x61900000dc80,0x61900000e084)
allocated by thread T0 here:
    #0 0x7fc8b692273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x430f08 in icns_get_element_from_family /home/hsalo/src/icns-code/src/icns_element.c:117
    #2 0x7ffc7860ccaf ([stack]+0x1ecaf)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/icns-code/src/icns_rle24.c:132 icns_decode_rle24_data
Shadow bytes around the buggy address:
  0x0c327fff9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9c10:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==15585==ABORTING
     

  • Paul Wise

    Paul Wise - 2017-09-06
    • status: open --> fixed
    • assigned_to: Paul Wise
    • private: Yes --> No
     

  • Paul Wise

    Paul Wise - 2017-09-06

    Fixed in git. I don't think this is security sensitive because the next round of the loop will detect the out of range offset and exit the loop. The only conseqence would be reading one extra byte beyond the end of the RLE buffer and writing that to the output image.

     

  • Paul Wise

    Paul Wise - 2017-09-06

    The fix is in commit bdba9df

    If you could do more fuzzing, that would be appreciated.

     

Log in to post a comment.

MongoDB Logo MongoDB