Closed hongxuchen closed 6 years ago
(Another person mentioned another issue in this page).
Thanks for letting me know I'll track this in https://github.com/libyal/libpff/issues/64, but this is a different issue than the one you mention here.
==2788== Invalid read of size 1
==2788== at 0x486008: libpff_data_array_read_entries (libpff_data_array.c:567)
==2788== by 0x485AB2: libpff_data_array_read (libpff_data_array.c:321)
==2788== by 0x46725D: libpff_io_handle_read_descriptor_data_list (libpff_io_handle2.c:317)
==2788== by 0x41DE3A: libpff_table_read (libpff_table.c:2133)
==2788== by 0x40E9C7: libpff_item_values_read (libpff_item_values.c:289)
==2788== by 0x40F928: libpff_name_to_id_map_read (libpff_name_to_id_map.c:292)
==2788== by 0x404490: libpff_file_open_read (libpff_file.c:1081)
==2788== by 0x4039E9: libpff_file_open_file_io_handle (libpff_file.c:580)
==2788== by 0x403748: libpff_file_open (libpff_file.c:322)
==2788== by 0x401651: info_handle_open_input (info_handle.c:298)
==2788== by 0x402AA9: main (pffinfo.c:284)
We found with our fuzzer several heap-buffer-overflow and heap-use-after-free errors when running
pffinfo $file
(compiled with Address Sanitizer). We will enumerate in the following issues and hope this can be tackled when you have time.(Another person mentioned another issue in this page).
1st one: heap-buffer-overflow at libpff_data_array.c:567
POC files: https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_1.input.txt https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_2.input.txt
ASan output: https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_1.err.SIG06 https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_2.err.SIG06