search

alco / psdump

Extract layout from Photoshop files into one of several text-based formats.
MIT License
85 stars 24 forks source link

[Bug Report]heap-buffer-overflow in Function psd_get_image_data() #9

Open Asteriska001 opened 2 years ago

Asteriska001 commented 2 years ago

Description

A heap-buffer-overflow was discovered in psdump. The issue is being triggered in function psd_get_image_data().

Version

Version 58dc2fe (Lastest)

Environment

Ubuntu 18.04, 64bit

Reproduce

Command

git clone the Lastest Version firstly.
make && make install
./psdump poc

image

POC file at the bottom of this report.

With ASAN

Note: You can use ASAN for more direct verification. Compile program with address sanitizer with this command:

obj-files = build/main.o build/Document.o build/Layer.o build/Record.o build/LayerGroup.o build/TextFormatter.o build/XmlFormatter.o build/PlistFormatter.o build/PsdParser.o build/JsonFormatter.o \
build/lodepng.o
libpsd-objects = adjustment.o bevel_emboss.o bitmap.o blend.o boundary.o brightness_contrast.o channel_image.o channel_mixer.o color.o color_balance.o color_mode.o color_overlay.o \
curves.o descriptor.o drop_shadow.o effects.o file_header.o fixed.o gaussian_blur.o gradient_blend.o gradient_fill.o gradient_map.o gradient_overlay.o hue_saturation.o image_data.o \
image_resource.o inner_glow.o inner_shadow.o invert.o layer_mask.o levels.o outer_glow.o path.o pattern.o pattern_fill.o pattern_overlay.o photo_filter.o posterize.o psd.o psd_system.o \
psd_zip.o rect.o satin.o selective_color.o solid_color.o stream.o stroke.o threshold.o thumbnail.o type_tool.o

psdump: build_dir build/libpsd-0.9 $(obj-files)
    g++ -fsanitize=address $(obj-files) $(libpsd-objects) -o build/psdump

build/libpsd-0.9:
    gcc -fsanitize=address -Ilibpsd-0.9/include -c libpsd-0.9/src/*.c
    touch build/libpsd-0.9

build_dir:
    mkdir -p build

build/main.o: src/main.cpp src/Document.h src/formatter/TextFormatter.h src/formatter/XmlFormatter.h src/formatter/JsonFormatter.h src/parser/PsdParser.h
    g++ -fsanitize=address -c -Wno-write-strings -Ilibpsd-0.9/include src/main.cpp -o build/main.o
build/Document.o: src/Document.cpp src/Document.h
    g++ -fsanitize=address -c src/Document.cpp -o build/Document.o
build/Layer.o: src/Layer.cpp src/Layer.h
    g++ -fsanitize=address -c src/Layer.cpp -o build/Layer.o
build/Record.o: src/Record.cpp src/Record.h
    g++ -fsanitize=address -c src/Record.cpp -o build/Record.o
build/LayerGroup.o: src/LayerGroup.cpp src/LayerGroup.h
    g++ -fsanitize=address -c src/LayerGroup.cpp -o build/LayerGroup.o
build/TextFormatter.o: src/formatter/TextFormatter.cpp src/formatter/TextFormatter.h
    g++ -fsanitize=address -c src/formatter/TextFormatter.cpp -o build/TextFormatter.o
build/PlistFormatter.o: src/formatter/PlistFormatter.cpp src/formatter/PlistFormatter.h
    g++ -fsanitize=address -c src/formatter/PlistFormatter.cpp -o build/PlistFormatter.o
build/XmlFormatter.o: src/formatter/XmlFormatter.cpp src/formatter/XmlFormatter.h
    g++ -fsanitize=address -c src/formatter/XmlFormatter.cpp -o build/XmlFormatter.o
build/JsonFormatter.o: src/formatter/JsonFormatter.cpp src/formatter/JsonFormatter.h
    g++ -fsanitize=address -c src/formatter/JsonFormatter.cpp -o build/JsonFormatter.o
build/PsdParser.o: src/parser/PsdParser.cpp src/parser/PsdParser.h
    g++ -fsanitize=address -c -Ilibpsd-0.9/include src/parser/PsdParser.cpp -o build/PsdParser.o

build/lodepng.o: src/lodepng/lodepng.cpp src/lodepng/lodepng.h 
    g++ -fsanitize=address-c src/lodepng/lodepng.cpp -o build/lodepng.o

.PHONY: clean, tidyup, shtest, test
test:
    python test/test.py
shtest:
    test/test.sh
tidyup:
    rm -f build/*.o
    rm -f build/libpsd-0.9
    rm -f *.o
clean:
    rm -rf build
    rm -f *.o

ASAN Report

=================================================================
==7449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6320000147a9 at pc 0x5555555f8693 bp 0x7fffffffd7b0 sp 0x7fffffffd7a0
READ of size 1 at 0x6320000147a9 thread T0
#0 0x5555555f8692 in psd_get_image_data (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xa4692)
#1 0x555555616251 in psd_main_loop (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc2251)
#2 0x555555615d81 in psd_image_load_tag (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1d81)
#3 0x555555615e05 in psd_image_load (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1e05)
#4 0x5555555678af in PsdParser::parse() (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0x138af)
#5 0x555555563038 in main (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xf038)
#6 0x7ffff6492bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#7 0x555555562729 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xe729)

0x6320000147a9 is located 0 bytes to the right of 81833-byte region [0x632000000800,0x6320000147a9)
allocated by thread T0 here:
#0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x555555616333 in psd_malloc (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc2333)
#2 0x5555555f8386 in psd_get_image_data (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xa4386)
#3 0x555555616251 in psd_main_loop (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc2251)
#4 0x555555615d81 in psd_image_load_tag (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1d81)
#5 0x555555615e05 in psd_image_load (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1e05)
#6 0x5555555678af in PsdParser::parse() (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0x138af)
#7 0x555555563038 in main (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xf038)
#8 0x7ffff6492bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xa4692) in psd_get_image_data
Shadow bytes around the buggy address:
0x0c647fffa8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c647fffa8f0: 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa
0x0c647fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7449==ABORTING

POC

POC

Any issue plz contact with me: admin@hack.best OR: twitter: @Asteriska8

dmdmdm commented 2 years ago

Hi @Asteriska8 can you suggest a fix?