A heap-buffer-overflow occurred when running ./tiv

[swtkiwi]

A heap-buffer-overflow occurred when running ./tiv

=================================================================
==11827==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f198849ca48 at pc 0x0000004701ba bp 0x7fffb2b08940 sp 0x7fffb2b08930
READ of size 1 at 0x7f198849ca48 thread T0
    #0 0x4701b9  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x4701b9)
    #1 0x45e988  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x45e988)
    #2 0x44e45c  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x44e45c)
    #3 0x4299be  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x4299be)
    #4 0x421801  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x421801)
    #5 0x406fd0  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x406fd0)
    #6 0x7f19864fe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x403338  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x403338)

0x7f198849ca48 is located 0 bytes to the right of 148040-byte region [0x7f1988478800,0x7f198849ca48)
allocated by thread T0 here:
    #0 0x7f19873ff6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x44f3cb  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x44f3cb)
    #2 0x42a2bb  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x42a2bb)
    #3 0x46e35a  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x46e35a)
    #4 0x45e988  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x45e988)
    #5 0x44e45c  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x44e45c)
    #6 0x4299be  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x4299be)
    #7 0x421801  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x421801)
    #8 0x406fd0  (/home/sandy/swt_fuzz/TerminalImageViewer/src/main/cpp/tiv+0x406fd0)
    #9 0x7f19864fe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0fe3b108b8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3b108b900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3b108b910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3b108b920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3b108b930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe3b108b940: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
  0x0fe3b108b950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe3b108b960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe3b108b970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe3b108b980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe3b108b990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11827==ABORTING

And the input file has been put at: https://github.com/fCorleone/fuzz_programs/blob/master/TerminalImageViewer/test1

[HybridDog]

I can reproduce it: valgrind messages

[stefanhaustein]

Are you sure the crash is in tiv processing code and doesn't originate in the image library used (cimg)? Do you know what's special about the file? Was it just generated by a fuzzer, or is it a specific image test file?

[swtkiwi]

@stefanhaustein It is generated by SAFL,and yes,the crash is in tiv.

[hadisfr]

What kind of file is that test1 exactly? It seems to be BMP but I couldn't open it. 🤔

[HybridDog]

00000000: 424d ce47 960a 4393 0000 000a 4393 0000  BM.G..C.....C...
00000010: 000d 4948 0008 0200 0000 00aa 2000 0000  ..IH........ ...
00000020: 0000 0400 0040 0000 0040 0806 0000 04a6  .....@...@......
00000030: 6971 de00 0000 04                        iq.....

numbers in little endian 424d: BM ce47 960a: file size in bytes (unreliable), the value is way too big here: 177,620,942 B 4393 0000: reserved, could be all zeroes 000a 4393: offset of image data in bytes from start of file, should be smaller 0000 000d: size of the information block in bytes 4948 0008: image width 0200 0000: image height 00aa: number of colour planes, should always be 1 etc.

[hadisfr]

@HybridDog I guessed BMP from that 424d. :D But couldn't open it via any image viewer. Should not it be a regular picture to be visible via TerminalImageViewer?

[HybridDog]

The image format is described there: https://de.wikipedia.org/wiki/Windows_Bitmap I've edited my previous post. Some of the values are invalid, this maybe isn't tested by tiv. identify (a command of ImageMagick) shows following:

$ identify test1_tiv 
identify-im6.q16: length and filesize do not match `test1_tiv' @ error/bmp.c/ReadBMPImage/825.
identify-im6.q16: static planes value not equal to 1 `test1_tiv' @ error/bmp.c/ReadBMPImage/837.

Edit: there's bmp.c: https://github.com/ImageMagick/ImageMagick/blob/a64a7bcf238a071cedea3fcdf585ec0e94d992bd/coders/bmp.c#L825

[stefanhaustein]

The crash seems to be inside cimg_library::CImg image(file_names[i].c_str());

This should be fixed in cimg or the corresponding library that cimg uses to decode bmp.