heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:494:20
ConcoctionSec opened this issue · 1 comments
ConcoctionSec commented
Version
Environment
Ubuntu 18.04,64 bit
Testcase
#include <stdio.h>
#include <stdlib.h>
#include "ok_png.c"
#include "ok_png.h"
int main(int _argc, char **_argv) {
FILE *file = fopen(_argv[1], "rb");
ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA );
fclose(file);
if (image.data) {
printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
free(image.data);
}
return 0;
}Command
Compile test program:
$ gcc -g -o main main.c ok_png.h
Compile test program with address sanitizer with this command:
$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
Result
The result of running without ASAN:
$ ./asanpng heap-buffer-overflow-7.png
Segmentation fault (core dumped)
Information obtained by using ASAN:
$ ./asanpng heap-buffer-overflow-7.png
=================================================================
==1998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004e3d62 bp 0x7ffe6e5d0b90 sp 0x7ffe6e5d0b88
WRITE of size 1 at 0x621000002500 thread T0
#0 0x4e3d61 in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:494:20
#1 0x4e3d61 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
#2 0x4e3d61 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4e3d61 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
#0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
#1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
#2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
#3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
#4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
#5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
#6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
#7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:494:20 in ok_png_transform_scanline
Shadow bytes around the buggy address:
0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1998==ABORTING
Description
A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:494:20
Poc
Poc file is this.