=================================================================
==7449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6320000147a9 at pc 0x5555555f8693 bp 0x7fffffffd7b0 sp 0x7fffffffd7a0
READ of size 1 at 0x6320000147a9 thread T0
#0 0x5555555f8692 in psd_get_image_data (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xa4692)
#1 0x555555616251 in psd_main_loop (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc2251)
#2 0x555555615d81 in psd_image_load_tag (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1d81)
#3 0x555555615e05 in psd_image_load (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1e05)
#4 0x5555555678af in PsdParser::parse() (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0x138af)
#5 0x555555563038 in main (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xf038)
#6 0x7ffff6492bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#7 0x555555562729 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xe729)
0x6320000147a9 is located 0 bytes to the right of 81833-byte region [0x632000000800,0x6320000147a9)
allocated by thread T0 here:
#0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x555555616333 in psd_malloc (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc2333)
#2 0x5555555f8386 in psd_get_image_data (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xa4386)
#3 0x555555616251 in psd_main_loop (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc2251)
#4 0x555555615d81 in psd_image_load_tag (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1d81)
#5 0x555555615e05 in psd_image_load (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xc1e05)
#6 0x5555555678af in PsdParser::parse() (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0x138af)
#7 0x555555563038 in main (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xf038)
#8 0x7ffff6492bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/nisl1/nisl8121/Asteriska/fuzz/projects/psdump-master/tanuki/asan_bin/psdump+0xa4692) in psd_get_image_data
Shadow bytes around the buggy address:
0x0c647fffa8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c647fffa8f0: 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa
0x0c647fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7449==ABORTING
Description
A heap-buffer-overflow was discovered in psdump. The issue is being triggered in function psd_get_image_data().
Version
Version 58dc2fe (Lastest)
Environment
Ubuntu 18.04, 64bit
Reproduce
Command
POC file at the bottom of this report.
With ASAN
Note: You can use ASAN for more direct verification. Compile program with address sanitizer with this command:
ASAN Report
POC
POC
Any issue plz contact with me: admin@hack.best OR: twitter: @Asteriska8