heap buffer overflow in stbi__tga_load
tianxiaogu opened this issue · 0 comments
tianxiaogu commented
Download and unzip the attached file.
57.zip
=================================================================
==24325==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x0000004e4ba2 bp 0x7fff46def830 sp 0x7fff46deefe0
READ of size 4 at 0x6020000000f1 thread T0
#0 0x4e4ba1 in __asan_memcpy /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
#1 0x5b0505 in stbi__tga_load /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:5069:31
#2 0x5b0505 in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:975
#3 0x556121 in stbi__xload_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:72:26
#4 0x5bea05 in stbi_xload /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:92:18
#5 0x5bea05 in img_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:188
#6 0x52836c in main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/catimg.c:115:9
#7 0x7f8713ceab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x41bbe9 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/catimg/bin/catimg+0x41bbe9)
0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
#0 0x4e5f17 in malloc /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
#1 0x5aeb0f in stbi__malloc /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:900:12
#2 0x5aeb0f in stbi__tga_load /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:5021
#3 0x5aeb0f in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:975
#4 0x556121 in stbi__xload_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:72:26
#5 0x5bea05 in stbi_xload /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:92:18
#6 0x5bea05 in img_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:188
#7 0x52836c in main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/catimg.c:115:9
#8 0x7f8713ceab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
=>0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fd fa fa[01]fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24325==ABORTING