Closed Helson-S closed 4 months ago
Hey thanks this is interesting! If you have any suggested fixes or want to make a PR please let me know! Otherwise, cute_png isn't intended to be a secure way to load png files and should only be run no files you trust a-priori. Feel free to re-open this issue if needed :)
Summary
Hi~,I did some fuzzy testing and found some bugs/vulnerabilities on cute_png v1.05. I hope these findings will help improve software quality.
All of the bugs/vulnerabilities trigger no assertion before bug/vulnerability. Only one bug/vulnerability triggers assertion after stack overflow. This means that these bugs/vulnerabilities are unexpected behaviors of the program. A sheet for it is shown below.
See also https://github.com/Helson-S/FuzzyTesting/tree/master/cute_headers/cute_png
heapof-r1-cp_load_png_mem-cute_png-1104c14
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1104 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r1-cp_load_png_mem-cute_png-1105c15
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1105 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r1-cp_load_png_mem-cute_png-1132c14
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1132 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r1-cp_make32-cute_png-948c10
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_make32() at line 948 of cute_png.h v1.05. Function cp_make32() is called by cp_find().
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r1-cp_unfilter-cute_png-1017c11
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1017 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r1-cp_unfilter-cute_png-1019c11
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1019 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r4-cp_chunk-cute_png-956c7
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_chunk() at line 956 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r4-cp_find-cute_png-979c8
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_find() at line 979 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r8-cp_load_png_mem-cute_png-1099c2
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1099 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heapof-r65280-cp_stored-cute_png-543c2
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_stored() at line 543 of cute_png.h v1.05. What's more, sample10.png provided as attack vector causes double-free heap memory corruption in function cp_load_png_mem() at line 1194 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heap-buffer-overflow
double-free heap memory corruption
heapof-w1-cp_block-cute_png-623c12
Description
Heap-buffer-flow and segmentation fault bug/vulnerability caused by write access found in function cp_block() at line 623 of cute_png.h v1.05. What's more, sample11.png provided as attack vector causes double-free heap memory corruption in function cp_load_png() at line 1216 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Coredump file for segmentation fault bug/vulnerabilty is provided in heapof-w1-cp_block-cute_png-623c12/coredump directory.
Screen-shot
heap-buffer-overflow
segmentation fault
double-free heap memory corruption
heapof-w16-cp_block-cute_png-644c37
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 644 of cute_png.h v1.05. What's more, sample12.png provided as attack vector causes unmap invalid pointer memory corruption in function cp_load_png_mem() at line 1189 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
heap-buffer-overflow
unmap invalid pointer
heapof-w98-cp_block-5c0-cute_png-642c5
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 642 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
segv-none-cp_make32-cute_png-948c10
Description
Segmentation Fault bug/vulnerability caused by read access found in function cp_make32() at line 948 of cute_png.h v1.05. Function cp_make32() is called by cp_chunk().
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
stkof-w1-cp_dynamic-cute_png-601c71
Description
stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 601 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
stkof-w133-cp_dynamic-cute_png-603
Description
stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 603 of cute_png.h v1.05. It will lead to control flow hijacking. Exploit demo is available in ./src/exploit_demo.c
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot
uaf-none-cp_make32-cute_png-948c10
Description
heap-use-after-free bug/vulnerability caused by read access found in function cp_make32() at line 948 of cute_png.h v1.05.
Affected version: cute_png v1.05
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Run the following command in bash shell:
Screen-shot