search

syoyo / tinyexr

Tiny OpenEXR image loader/saver library
710 stars 139 forks source link

Heap-buffer-overflow exists in the DecodePixelData #177

Closed 0xdd96 closed 2 years ago

0xdd96 commented 2 years ago

Describe the issue There is a heap-based buffer overflow in DecodePixelData in the latest commit.

To Reproduce

Environment

version: latest commit https://github.com/syoyo/tinyexr/commit/22be731278743c96c39aca8485e7f766755679b1

poc: poc

Steps to reproduce the behavior:

  1. Compile TinyEXR with Address Sanitizer 
    CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release ..
  2. run ./test_tinyexr ./poc

Here is the trace reported by ASAN:

# ./test_tinyexr poc
=================================================================
==383==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000f7e4 at pc 0x000000407b27 bp 0x7fffffffcde0 sp 0x7fffffffcdd0
READ of size 1 at 0x61c00000f7e4 thread T0
    #0 0x407b26 in cpy4 tinyexr-22be731/tinyexr.h:776
    #1 0x415bfa in DecodePixelData tinyexr-22be731/tinyexr.h:4105
    #2 0x41e188 in DecodeChunk tinyexr-22be731/tinyexr.h:5191
    #3 0x42215b in DecodeEXRImage tinyexr-22be731/tinyexr.h:5791
    #4 0x4280d9 in LoadEXRImageFromMemory tinyexr-22be731/tinyexr.h:6497
    #5 0x427cd9 in LoadEXRImageFromFile tinyexr-22be731/tinyexr.h:6474
    #6 0x4237d5 in LoadEXRWithLayer tinyexr-22be731/tinyexr.h:5969
    #7 0x423323 in LoadEXR tinyexr-22be731/tinyexr.h:5917
    #8 0x437c2c in test_main tinyexr-22be731/test_tinyexr.cc:223
    #9 0x4379d3 in main tinyexr-22be731/test_tinyexr.cc:194
    #10 0x7ffff652883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #11 0x4075e8 in _start (tinyexr-22be731/build/test_tinyexr+0x4075e8)

0x61c00000f7e4 is located 0 bytes to the right of 1892-byte region [0x61c00000f080,0x61c00000f7e4)
allocated by thread T0 here:
    #0 0x7ffff6f03532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x44ffd4 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x44d520 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
    #3 0x444753 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    #4 0x446a7a in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
    #5 0x43df4e in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:136
    #6 0x439915 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:278
    #7 0x427c0d in LoadEXRImageFromFile tinyexr-22be731/tinyexr.h:6464
    #8 0x4237d5 in LoadEXRWithLayer tinyexr-22be731/tinyexr.h:5969
    #9 0x423323 in LoadEXR tinyexr-22be731/tinyexr.h:5917
    #10 0x437c2c in test_main tinyexr-22be731/test_tinyexr.cc:223
    #11 0x4379d3 in main tinyexr-22be731/test_tinyexr.cc:194
    #12 0x7ffff652883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow tinyexr-22be731/tinyexr.h:776 cpy4
Shadow bytes around the buggy address:
  0x0c387fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff9ef0: 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa
  0x0c387fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fff9f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c387fff9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c387fff9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c387fff9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==383==ABORTING
syoyo commented 2 years ago

Can reproduce in my side. Marked.

syoyo commented 2 years ago

PR for the fix is much appreciated though.