dbohdan
commented
2 months ago Thanks for the report. I will look into the stack overflow in png_quantize. As for cute_png, like https://github.com/RandyGaul/cute_headers/issues/381#issuecomment-2140439440 says, it is not designed for untrusted input. I should note this in the readme. I may eventually address the insecurity of cute_png by replacing it with another library.
An accessibility suggestion: it would be better if your screenshots were code blocks. If you don't want code blocks making your issue too long, hide them inside <details> tags.
Summary
Hi~,I did some fuzzy testing and found some bugs/vulnerabilities on hicolor v0.5.0. I hope these findings will help improve software quality.
These bugs/vulnerabilities are mainly caused by unsafe component cute_png.h v1.05. According to my analysis, Because the compilation environment of hicolor is inconsistent with the official compilation environment of cute_png.h v1.05, not all bugs in cute_png.h affect hicolor. The bugs/vulnerabilities listed below can truly affect hicolor v0.5.0.
All of the bugs/vulnerablities are triggered with no assertion raised. This means that these bugs/vulnerabilities are unexpected behaviors of the program.
hicolor: https://github.com/dbohdan/hicolor
cute_headers: https://github.com/RandyGaul/cute_headers
See also https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor
heapof-r1-cp_unfilter-cute_png-1019c11
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1019 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Screen-shot
heapof-r65280-cp_stored-cute_png-543c2
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_stored() at line 543 of vendor/cute_png.h v1.05. What's more, sample10.png provided as attack vector causes double-free heap memory corruption in function cp_load_png_mem() at line 1194 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Screen-shot
heap-buffer-overflow
double-free heap memory corruption
heapof-w1-cp_block-cute_png-623c12
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 623 of vendor/cute_png.h v1.05. What's more, sample11.png provided as attack vector causes double-free heap memory corruption in function cp_load_png() at line 1216 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Screen-shot
heap-buffer-overflow
double-free heap memory corruption
heapof-w1-png_quantize-cli-220c32
Description
heap-buffer-overflow bug/vulnerability caused by write access found in function png_quantize() at line 220 of cli.c v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Screen-shot
heapof-w16-cp_block-cute_png-644c37
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 644 of vendor/cute_png.h v1.05. What's more, sample12.png provided as attack vector causes unmap invalid pointer memory corruption in function cp_load_png_mem() at line 1189 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Screen-shot
heap-buffer-overflow
unmap invalid pointer
heapof-w98-cp_block-5c0-cute_png-642c5
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 642 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Screen-shot
stkof-w133-cp_dynamic-cute_png-603
Description
stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 603 of vendor/cute_png.h v1.05. It will lead to control flow hijacking.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Screen-shot