search

nokiatech / heif

High Efficiency Image File Format
Other
1.74k stars 247 forks source link

Heap-buffer-overflow in /srcs/examples/example.cpp example3() #93

Closed zodf0055980 closed 3 years ago

zodf0055980 commented 3 years ago

Hello, I build heif in ASAN and try to run your test case. In example3(), I try to run heif_conformance/conformance_files/C012.heic

=================================================================
==4865==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000520b8 at pc 0x559feca9c186 bp 0x7fff387a2990 sp 0x7fff387a2980
READ of size 4 at 0x6020000520b8 thread T0
    #0 0x559feca9c185 in example3() /home/yuan/afl-target/heif/srcs/examples/example.cpp:165
    #1 0x559feca9456c in main /home/yuan/afl-target/heif/srcs/examples/example.cpp:552
    #2 0x7f2e24505bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #3 0x559feca97879 in _start (/home/yuan/afl-target/heif/build/bin/example+0x1c879)

0x6020000520b8 is located 0 bytes to the right of 8-byte region [0x6020000520b0,0x6020000520b8)
allocated by thread T0 here:
    #0 0x7f2e24f54b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x559feccf534c in HEIF::ImageId* customAllocateArray<HEIF::ImageId>(unsigned long) /home/yuan/afl-target/heif/srcs/common/customallocator.hpp:39
    #2 0x559feccf534c in HEIF::Array<HEIF::ImageId>::operator=(HEIF::Array<HEIF::ImageId> const&) /home/yuan/afl-target/heif/srcs/common/arraydatatype.cpp:62
    #3 0x7fff387a31bf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yuan/afl-target/heif/srcs/examples/example.cpp:165 in example3()
Shadow bytes around the buggy address:
  0x0c04800023c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800023d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800023e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800023f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480002400: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c0480002410: fa fa fd fa fa fa 00[fa]fa fa fa fa fa fa fa fa
  0x0c0480002420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480002430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480002440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480002450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480002460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4865==ABORTING
lassehe commented 3 years ago

Thank you for reporting this. The example was unintentionally derefencing an iterator pointing to end(). Newest release v3.6.2 (bdac2fc) fixes this.