search

posva / catimg

🦦 Insanely fast image printing in your terminal
http://posva.net/shell/retro/bash/2013/05/27/catimg
MIT License
1.4k stars 57 forks source link

stack buffer-overflow in stbi__compute_huffman_codes #36

Closed tianxiaogu closed 6 years ago

tianxiaogu commented 6 years ago

A stack buffer-overflow is detected. Attached is the test case that can reproduce the issue. You need to compile the catimg with ASAN. sbo-1.zip

=================================================================
==16406==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc9166dc0f at pc 0x0000005450e6 bp 0x7ffc9166d370 sp 0x7ffc9166d368
READ of size 1 at 0x7ffc9166dc0f thread T0
    #0 0x5450e5 in stbi__compute_huffman_codes /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3708:29
    #1 0x5450e5 in stbi__parse_zlib /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3803
    #2 0x5450e5 in stbi__do_zlib /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3818
    #3 0x5eb136 in stbi_zlib_decode_malloc_guesssize_headerflag /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3849:8
    #4 0x5eb136 in stbi__parse_png_file /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:4422
    #5 0x615cf6 in stbi__do_png /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:4472:8
    #6 0x615cf6 in stbi__png_load /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:4495
    #7 0x565630 in stbi__load_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h
    #8 0x556121 in stbi__xload_main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:72:26
    #9 0x5bea05 in stbi_xload /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:92:18
    #10 0x5bea05 in img_load_from_file /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/sh_image.c:188
    #11 0x52836c in main /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/catimg.c:115:9
    #12 0x7fc5fe7ffb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41bbe9 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/catimg/bin/catimg+0x41bbe9)

Address 0x7ffc9166dc0f is located in stack of thread T0 at offset 2191 in frame
    #0 0x53d3ef in stbi__do_zlib /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3812

  This frame has 4 object(s):
    [32, 2052) 'z_codelength.i.i' (line 3684)
    [2192, 2647) 'lencodes.i.i' (line 3685) <== Memory access at offset 2191 underflows this variable
    [2720, 2739) 'codelength_sizes.i.i' (line 3686)
    [2784, 2788) 'header.i.i' (line 3729)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/t/Projects/afl/fuzzing-experiments/subjects/catimg/src/stb_image.h:3708:29 in stbi__compute_huffman_codes
Shadow bytes around the buggy address:
  0x1000122c5b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b70: 04 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x1000122c5b80: f2[f2]00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000122c5bb0: 00 00 00 00 00 00 00 00 00 00 07 f2 f2 f2 f2 f2
  0x1000122c5bc0: f2 f2 f2 f2 00 00 03 f2 f2 f2 f2 f2 f8 f3 f3 f3
  0x1000122c5bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==16406==ABORTING
posva commented 6 years ago

Thanks for posting this but these are all related to the external lib that load images. I accept prs for fixing these but I don't have time to fix it myself 🙂