search

RandyGaul / cute_headers

Collection of cross-platform one-file C/C++ libraries with no dependencies, primarily used for games
4.28k stars 266 forks source link

Bugs/vulnerabilities found in cute_png v1.05 #381

Closed Helson-S closed 4 months ago

Helson-S commented 4 months ago

Summary

Hi~,I did some fuzzy testing and found some bugs/vulnerabilities on cute_png v1.05. I hope these findings will help improve software quality.

All of the bugs/vulnerabilities trigger no assertion before bug/vulnerability. Only one bug/vulnerability triggers assertion after stack overflow. This means that these bugs/vulnerabilities are unexpected behaviors of the program. A sheet for it is shown below.

See also https://github.com/Helson-S/FuzzyTesting/tree/master/cute_headers/cute_png

Dictionary Name Assertion raised during execution Assertion raised before bug/vulnerability? Assertion raised after bug/vulnerability?
heapof-r1-cp_load_png_mem-cute_png-1104c14 No No No
heapof-r1-cp_load_png_mem-cute_png-1105c15 No No No
heapof-r1-cp_load_png_mem-cute_png-1132c14 No No No
heapof-r1-cp_make32-cute_png-948c10 No No No
heapof-r1-cp_unfilter-cute_png-1017c11 No No No
heapof-r1-cp_unfilter-cute_png-1019c11 No No No
heapof-r4-cp_chunk-cute_png-956c7 No No No
heapof-r4-cp_find-cute_png-979c8 No No No
heapof-r8-cp_load_png_mem-cute_png-1099c2 No No No
heapof-r65280-cp_stored-cute_png-543c2 No No No
heapof-w1-cp_block-cute_png-623c12 No No No
heapof-w16-cp_block-cute_png-644c37 No No No
heapof-w98-cp_block-5c0-cute_png-642c5 No No No
segv-none-cp_make32-cute_png-948c10 No No No
stkof-w1-cp_dynamic-cute_png-601c71 Yes No Yes
stkof-w133-cp_dynamic-cute_png-603 No No No(Infinite Loop or Stack smashing dected)
uaf-none-cp_make32-cute_png-948c10 No No No

heapof-r1-cp_load_png_mem-cute_png-1104c14

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1104 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527231328315

heapof-r1-cp_load_png_mem-cute_png-1105c15

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1105 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527231514578

heapof-r1-cp_load_png_mem-cute_png-1132c14

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1132 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527231710771

heapof-r1-cp_make32-cute_png-948c10

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_make32() at line 948 of cute_png.h v1.05. Function cp_make32() is called by cp_find().

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527232015967

heapof-r1-cp_unfilter-cute_png-1017c11

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1017 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527232219252

heapof-r1-cp_unfilter-cute_png-1019c11

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1019 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527232602298

heapof-r4-cp_chunk-cute_png-956c7

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_chunk() at line 956 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527232923330

heapof-r4-cp_find-cute_png-979c8

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_find() at line 979 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527233234147

heapof-r8-cp_load_png_mem-cute_png-1099c2

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_load_png_mem() at line 1099 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527233454933

heapof-r65280-cp_stored-cute_png-543c2

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_stored() at line 543 of cute_png.h v1.05. What's more, sample10.png provided as attack vector causes double-free heap memory corruption in function cp_load_png_mem() at line 1194 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

heap-buffer-overflow

image-20240527233813133

double-free heap memory corruption

image-20240528234650934 image-20240528234802223

heapof-w1-cp_block-cute_png-623c12

Description

Heap-buffer-flow and segmentation fault bug/vulnerability caused by write access found in function cp_block() at line 623 of cute_png.h v1.05. What's more, sample11.png provided as attack vector causes double-free heap memory corruption in function cp_load_png() at line 1216 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Coredump file for segmentation fault bug/vulnerabilty is provided in heapof-w1-cp_block-cute_png-623c12/coredump directory.

Screen-shot

heap-buffer-overflow

image-20240527234305280

segmentation fault

image-20240529003645039

image-20240529003621619

double-free heap memory corruption

image-20240529004018037

image-20240529004050305

heapof-w16-cp_block-cute_png-644c37

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 644 of cute_png.h v1.05. What's more, sample12.png provided as attack vector causes unmap invalid pointer memory corruption in function cp_load_png_mem() at line 1189 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

heap-buffer-overflow

image-20240527234608807

unmap invalid pointer

image-20240529153300073

image-20240529153334319

heapof-w98-cp_block-5c0-cute_png-642c5

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 642 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527234842953

segv-none-cp_make32-cute_png-948c10

Description

Segmentation Fault bug/vulnerability caused by read access found in function cp_make32() at line 948 of cute_png.h v1.05. Function cp_make32() is called by cp_chunk().

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527235113892

stkof-w1-cp_dynamic-cute_png-601c71

Description

stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 601 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240527235936692

stkof-w133-cp_dynamic-cute_png-603

Description

stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 603 of cute_png.h v1.05. It will lead to control flow hijacking. Exploit demo is available in ./src/exploit_demo.c

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo
./exploit_demo

Screen-shot

image-20240530011956991

image

uaf-none-cp_make32-cute_png-948c10

Description

heap-use-after-free bug/vulnerability caused by read access found in function cp_make32() at line 948 of cute_png.h v1.05.

Affected version: cute_png v1.05

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Run the following command in bash shell:

#!/bin/bash 
pushd src
make
./poc_demo

Screen-shot

image-20240529163306014

RandyGaul commented 4 months ago

Hey thanks this is interesting! If you have any suggested fixes or want to make a PR please let me know! Otherwise, cute_png isn't intended to be a secure way to load png files and should only be run no files you trust a-priori. Feel free to re-open this issue if needed :)