stack-buffer-overflow in pik::HuffmanDecodingData::ReadFromBitStream
gy741 opened this issue · 2 comments
gy741 commented
Hi.
I found a stack-buffer-overflow bug in pik.
Please confirm.
Thanks.
Summary: stack-buffer-overflow
Browser/OS: Ubuntu 17.04 64bit
Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command
: ./dpik $PoC /dev/null
PoC download : PoC
=================================================================
==30122==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc74c2fb20 at pc 0x0000005d3f0e bp 0x7ffc74c2f1b0 sp 0x7ffc74c2f1a8
READ of size 4 at 0x7ffc74c2fb20 thread T0
#0 0x5d3f0d in pik::BitReader::FillBitBuffer() /root/gwanyeong/pik/./bit_reader.h:46:39
#1 0x5d3f0d in pik::BitReader::ReadBits(int) /root/gwanyeong/pik/./bit_reader.h:68
#2 0x5d3f0d in pik::HuffmanDecodingData::ReadFromBitStream(pik::BitReader*) /root/gwanyeong/pik/huffman_decode.cc:269
#3 0x660cce in pik::DecodePlane(unsigned char const*, unsigned long, int, int, pik::Image<int>*) /root/gwanyeong/pik/opsin_codec.cc:992:8
#4 0x6a0578 in pik::Quantizer::Decode(unsigned char const*, unsigned long) /root/gwanyeong/pik/quantizer.cc:141:10
#5 0x581212 in pik::CompressedImage::DecodeQuantization(unsigned char const*, unsigned long) /root/gwanyeong/pik/compressed_image.cc:380:21
#6 0x581212 in pik::CompressedImage::Decode(int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, pik::PikInfo*) /root/gwanyeong/pik/compressed_image.cc:393
#7 0x5afa67 in pik::PikToPixels(pik::DecompressParams const&, std::vector<unsigned char, std::allocator<unsigned char> > const&, pik::Image3<unsigned char>*, pik::PikInfo*) /root/gwanyeong/pik/pik.cc:543:29
#8 0x50f124 in pik::(anonymous namespace)::Decompress(char const*, char const*) /root/gwanyeong/pik/dpik.cc:58:7
#9 0x50f124 in main /root/gwanyeong/pik/dpik.cc:80
#10 0x7fabb4e083f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
#11 0x41b759 in _start (/root/gwanyeong/pik/bin/dpik+0x41b759)
Address 0x7ffc74c2fb20 is located in stack of thread T0 at offset 160 in frame
#0 0x5af4df in pik::PikToPixels(pik::DecompressParams const&, std::vector<unsigned char, std::allocator<unsigned char> > const&, pik::Image3<unsigned char>*, pik::PikInfo*) /root/gwanyeong/pik/pik.cc:525
This frame has 4 object(s):
[32, 48) 'header'
[64, 96) 'source'
[128, 160) 'encoded_img' <== Memory access at offset 160 overflows this variable
[192, 744) 'img'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/gwanyeong/pik/./bit_reader.h:46:39 in pik::BitReader::FillBitBuffer()
Shadow bytes around the buggy address:
0x10000e97df10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000e97df20: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
0x10000e97df30: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10000e97df40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000e97df50: f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 f2 f2 f2 f2
=>0x10000e97df60: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
0x10000e97df70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000e97df80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000e97df90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000e97dfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3
0x10000e97dfb0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30122==ABORTING
jan-wassenberg commented
Also confirmed, thanks!
szabadka commented
This is fixed in the latest version.