search

pts / sam2p

raster (bitmap) image converter with smart PDF and PostScript (EPS) output
http://pts.50.hu/sam2p/
GNU General Public License v2.0
42 stars 16 forks source link

heap buffer overflow in input-tga.ci:592 #60

Closed puppet-meteor closed 6 years ago

puppet-meteor commented 6 years ago

There is a heap buffer overflow in input-tga.ci:592 at sam2p 0.49.4. A crafted input will lead to denial of service attack.

Steps to Reproduce:

./sam2p POC_11 EPS: /dev/null

POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/POC_11

Information from addresssanitizer:

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Warning: TGA: error reading; ftell == 92
 =================================================================
==82014==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000008095 at pc 0x0000004241af bp 0x7ffe55266780 sp 0x7ffe55266770
READ of size 1 at 0x610000008095 thread T0
    #0 0x4241ae in ReadImage /home/puppet/sam2p/input-tga.ci:592
    #1 0x4241ae in tga_load_image(_IO_FILE*) /home/puppet/sam2p/input-tga.ci:168
    #2 0x42429c in in_tga_reader /home/puppet/sam2p/in_tga.cpp:23
    #3 0x479a5b in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/puppet/sam2p/image.cpp:1435
    #4 0x403a46 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/puppet/sam2p/sam2p_main.cpp:1055
    #5 0x4025ff in main /home/puppet/sam2p/sam2p_main.cpp:1148
    #6 0x7f6ea71d482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x402f48 in _start (/home/puppet/sam2p/sam2p+0x402f48)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puppet/sam2p/input-tga.ci:592 ReadImage
Shadow bytes around the buggy address:
  0x0c207fff8fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c207fff9010: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==82014==ABORTING

found by puppet@zju.edu.cn from NESA Lab in Zhejiang University.

Sorry for the previous issues, I ran the fuzzing tool on the release version 0.49.4. Hoping it is useful.

pts commented 6 years ago

Sorry for the previous issues, I ran the fuzzing tool on the release version 0.49.4. Hoping it is useful.

Yes, all bug reports are useful, even for bugs which have been fixed since the last release. Thank you for running them and reporting them! (It's the most useful for me though if ./sam2p.asan is run at the latest commit, and the output of that is reported.)

pts commented 6 years ago

Thank you for reporting this! I'm able to reproduce the bug with ./sam2p.asan at 276dceb127e15cfda66803b87f38511ce49891e1.

puppet-meteor commented 6 years ago

Another similar bug.

Steps to Reproduce:

./sam2p.asan POC_17 EPS: /dev/null

POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/POC_17

Information from addresssanitizer:

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p.asan: Warning: TGA: error reading; ftell == 132
=================================================================
==83955==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dcc3 at pc 0x0000004217f3 bp 0x7ffe6e796b40 sp 0x7ffe6e796b30
READ of size 1 at 0x60400000dcc3 thread T0
    #0 0x4217f2 in ReadImage /home/puppet/sam2p/input-tga.ci:513
    #1 0x420076 in tga_load_image(_IO_FILE*) /home/puppet/sam2p/input-tga.ci:168
    #2 0x4223fa in in_tga_reader /home/puppet/sam2p/in_tga.cpp:23
    #3 0x49148c in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/puppet/sam2p/image.cpp:1435
    #4 0x4095b3 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, unsigned char) /home/puppet/sam2p/sam2p_main.cpp:1055
    #5 0x40a6fe in main /home/puppet/sam2p/sam2p_main.cpp:1148
    #6 0x7f248743682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x401f68 in _start (/home/puppet/sam2p/sam2p.asan+0x401f68)

0x60400000dcc3 is located 8 bytes to the right of 43-byte region [0x60400000dc90,0x60400000dcbb)
allocated by thread T0 here:
    #0 0x7f2487bfb6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x44744d in MiniPS::String::String(char const*, long) /home/puppet/sam2p/minips.cpp:324
    #2 0x44be7c in MiniPS::Parser::parse1(int, int) /home/puppet/sam2p/minips.cpp:821
    #3 0x44cc97 in MiniPS::Parser::parse1(int, int) /home/puppet/sam2p/minips.cpp:884
    #4 0x44cc97 in MiniPS::Parser::parse1(int, int) /home/puppet/sam2p/minips.cpp:884
    #5 0x44bba3 in MiniPS::Parser::parse1(int, int) /home/puppet/sam2p/minips.cpp:798
    #6 0x44cd8c in MiniPS::Parser::parse1(int, int) /home/puppet/sam2p/minips.cpp:898
    #7 0x409344 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, unsigned char) /home/puppet/sam2p/sam2p_main.cpp:1018
    #8 0x40a6fe in main /home/puppet/sam2p/sam2p_main.cpp:1148
    #9 0x7f248743682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puppet/sam2p/input-tga.ci:513 ReadImage
Shadow bytes around the buggy address:
  0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b70: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c087fff9b80: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 06
=>0x0c087fff9b90: fa fa 00 00 00 00 00 03[fa]fa 00 00 00 00 00 06
  0x0c087fff9ba0: fa fa 00 00 00 00 00 01 fa fa 00 00 00 00 00 06
  0x0c087fff9bb0: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 06
  0x0c087fff9bc0: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 06
  0x0c087fff9bd0: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 06
  0x0c087fff9be0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 00 06
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==83955==ABORTING
pts commented 6 years ago

Thank you for reporting these! I was able the fix it in 2f03331e911e8db3e8e699aa3786d3c9e551ca4c based on the details you have provided.

It works now:

$ ./sam2p.asan POC_11 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p.asan: Warning: TGA: error reading; ftell == 92
sam2p.asan: Warning: TGA: alpha index too large
sam2p.asan: Warning: TGA: color index too large
sam2p.asan: Notice: job: read InputFile: POC_11
sam2p.asan: Notice: writeTTT: using template: l1op
sam2p.asan: Notice: applyProfile: applied OutputRule #0 using applier P-TrOpBb
sam2p.asan: Notice: job: written OutputFile: /dev/null
Success.
$ ./sam2p.asan POC_17 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p.asan: Warning: TGA: error reading; ftell == 132
sam2p.asan: Warning: TGA: alpha index too large
sam2p.asan: Warning: TGA: color index too large
sam2p.asan: Notice: job: read InputFile: POC_17
sam2p.asan: Notice: writeTTT: using template: l1op
sam2p.asan: Notice: applyProfile: applied OutputRule #0 using applier P-TrOpBb
sam2p.asan: Notice: job: written OutputFile: /dev/null
Success.