Menu

#421 Heap-buffer overflow in DCRaw::unpacked_load_raw()

UFRaw_development_branch
open
nobody
None
5
2018-02-19
2018-02-19
Jaeseung Choi
No

Hi, I would like to report a heap-based buffer overflow bug in ufraw-batch 0.22.

Running 'ufraw-batch --overwrite poc' with the attached file raises buffer overflow in DCRaw::unpacked_load_raw(), and the program crashes.

Below is the AddressSanitizer log.

Thank you,
Jason

jason@ubuntu:~/ufraw$ ./ufraw-batch-sanitize --overwrite poc

==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbbd8d907f4 at pc 0x000000603126 bp 0x7ffe4959f620 sp 0x7ffe4959f618
READ of size 2 at 0x7fbbd8d907f4 thread T0
    #0 0x603125 in DCRaw::unpacked_load_raw() /home/jason/ufraw/ufraw-0.22-sanitize/dcraw.cc:1972:25
    #1 0x59199c in dcraw_load_raw /home/jason/ufraw/ufraw-0.22-sanitize/dcraw_api.cc:249:9
    #2 0x4f8c15 in ufraw_load_raw /home/jason/ufraw/ufraw-0.22-sanitize/ufraw_ufraw.c:666:19
    #3 0x4f4a5f in main /home/jason/ufraw/ufraw-0.22-sanitize/ufraw-batch.c:85:13
    #4 0x7fbbd609f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41fb28 in _start (/home/jason/ufraw/ufraw-batch-sanitize+0x41fb28)

0x7fbbd8d907f4 is located 0 bytes to the right of 655348-byte region [0x7fbbd8cf0800,0x7fbbd8d907f4)
allocated by thread T0 here:
    #0 0x4bfc58 in __interceptor_malloc (/home/jason/ufraw/ufraw-batch-sanitize+0x4bfc58)
    #1 0x7fbbd82ee718 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f718)
    #2 0x4f8c15 in ufraw_load_raw /home/jason/ufraw/ufraw-0.22-sanitize/ufraw_ufraw.c:666:19
    #3 0x4f4a5f in main /home/jason/ufraw/ufraw-0.22-sanitize/ufraw-batch.c:85:13
    #4 0x7fbbd609f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jason/ufraw/ufraw-0.22-sanitize/dcraw.cc:1972:25 in DCRaw::unpacked_load_raw()
Shadow bytes around the buggy address:
  0x0ff7fb1aa0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7fb1aa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7fb1aa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7fb1aa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff7fb1aa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff7fb1aa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa
  0x0ff7fb1aa100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7fb1aa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7fb1aa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7fb1aa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff7fb1aa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12345==ABORTING
1 Attachments
poc

Discussion

Log in to post a comment.

MongoDB Logo MongoDB