Hello, thanks for libmatio! libvips has been using it for Matlab image import for a long time now.
People have been fuzzing libvips quite a bit recently, and they've triggered some crashes in libmatio. The crashing images plus the stack traces are here:
With hbo_matlab.c_119_1.mat in valgrind, for example, I see:
#8 0x0000000004fe567d in read_new (
filename=0x1922b580 "hbo_matlab.c_119_1.mat", out=0x1922bbf0)
at matlab.c:119
119 if( !(read->var = Mat_VarReadNextInfo( read->mat )) ) {
(gdb) bt
#0 0x0000000005a7de97 in __GI_raise (sig=sig@entry=6)
at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x0000000005a7f801 in __GI_abort () at abort.c:79
#2 0x0000000005ac8897 in __libc_message (action=action@entry=(do_abort | do_backtrace), fmt=fmt@entry=0x5bf5988 "*** %s ***: %s terminated\n")
at ../sysdeps/posix/libc_fatal.c:181
#3 0x0000000005b73cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true, msg=msg@entry=0x5bf5905 "buffer overflow detected")
at fortify_fail.c:33
#4 0x0000000005b73d21 in __GI___fortify_fail (msg=msg@entry=0x5bf5905 "buffer overflow detected") at fortify_fail.c:44
#5 0x0000000005b71a10 in __GI___chk_fail () at chk_fail.c:28
#6 0x0000000005b7215d in __fread_chk (ptr=<optimised out>, ptrlen=<optimised out>, size=4, n=134217730, stream=0x1922db00) at fread_chk.c:39
#7 0x0000000009d77c06 in () at /usr/lib/x86_64-linux-gnu/libmatio.so.4
#8 0x0000000004fe567d in read_new (filename=0x1922b580 "hbo_matlab.c_119_1.mat", out=0x1922bbf0) at matlab.c:119
with hbo_matlab.c_285_1.mat I see:
(gdb) bt
#0 0x0000000009d71c2f in () at /usr/lib/x86_64-linux-gnu/libmatio.so.4
#1 0x0000000009d7210c in () at /usr/lib/x86_64-linux-gnu/libmatio.so.4
#2 0x0000000009d7c943 in Mat_VarReadDataAll ()
Matio is not robust w.r.t. crafted MAT-files. I got some reports earlier this year (see e.g., https://github.com/tbeu/matio/issues/81) and could quickly generate hundreds of crafted files that will fail in matio. Analysing them is usually not the problem, but it is not trivial to fix them, since e.g., you actually need to question each integer addition/multiplication for overflow if operands are read from file.
Nevertheless, I hopefully fixed the ones you reported by 7779068 and 75a637e. Please confirm.
Last edit: tbeu 2018-10-23
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello, thanks for libmatio! libvips has been using it for Matlab image import for a long time now.
People have been fuzzing libvips quite a bit recently, and they've triggered some crashes in libmatio. The crashing images plus the stack traces are here:
https://github.com/ntu-sec/pocs/tree/master/libvips-0077017a/crashes
With hbo_matlab.c_119_1.mat in valgrind, for example, I see:
#8 0x0000000004fe567d in read_new ( filename=0x1922b580 "hbo_matlab.c_119_1.mat", out=0x1922bbf0) at matlab.c:119 119 if( !(read->var = Mat_VarReadNextInfo( read->mat )) ) { (gdb) bt #0 0x0000000005a7de97 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x0000000005a7f801 in __GI_abort () at abort.c:79 #2 0x0000000005ac8897 in __libc_message (action=action@entry=(do_abort | do_backtrace), fmt=fmt@entry=0x5bf5988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x0000000005b73cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true, msg=msg@entry=0x5bf5905 "buffer overflow detected") at fortify_fail.c:33 #4 0x0000000005b73d21 in __GI___fortify_fail (msg=msg@entry=0x5bf5905 "buffer overflow detected") at fortify_fail.c:44 #5 0x0000000005b71a10 in __GI___chk_fail () at chk_fail.c:28 #6 0x0000000005b7215d in __fread_chk (ptr=<optimised out>, ptrlen=<optimised out>, size=4, n=134217730, stream=0x1922db00) at fread_chk.c:39 #7 0x0000000009d77c06 in () at /usr/lib/x86_64-linux-gnu/libmatio.so.4 #8 0x0000000004fe567d in read_new (filename=0x1922b580 "hbo_matlab.c_119_1.mat", out=0x1922bbf0) at matlab.c:119with hbo_matlab.c_285_1.mat I see:
The original libvips issue is here:
https://github.com/jcupitt/libvips/issues/1039
Matio is not robust w.r.t. crafted MAT-files. I got some reports earlier this year (see e.g., https://github.com/tbeu/matio/issues/81) and could quickly generate hundreds of crafted files that will fail in matio. Analysing them is usually not the problem, but it is not trivial to fix them, since e.g., you actually need to question each integer addition/multiplication for overflow if operands are read from file.
Nevertheless, I hopefully fixed the ones you reported by 7779068 and 75a637e. Please confirm.
Last edit: tbeu 2018-10-23
Sorry, I missed the please confirm. Yes, your fixes work for me, thank you very much!