Various security fixes

[xiaozhuai]

Thanks @chan233. I've made some changes and add test files that you created. The CI is green now : ) Would you please test it again? Thanks again for your contribution.

[chan233]

Thanks @chan233. I've made some changes and add test files that you created. The CI is green now : ) Would you please test it again? Thanks again for your contribution.

Of course, if I find any bugs, I'll continue to submit PR.

[chan233]

@xiaozhuai crash_avif_3.tar.gz

[xiaozhuai]

@xiaozhuai crash_avif_3.tar.gz

Fixed.

[chan233]

new_crashs.tar.gz @xiaozhuai Here are some new samples that cause the program to crash. I tried to fix the issue but was unsuccessful. This is the call stack leading to the crash, and it's still caused by the try_avif_heic() function. I'll leave the rest of the work to you~

./imageinfo crash_1
=================================================================
==674991==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000140 at pc 0x5a1b6c4573b2 bp 0x7ffd235421d0 sp 0x7ffd235421c8
READ of size 4 at 0x612000000140 thread T0
    #0 0x5a1b6c4573b1 in unsigned int imageinfo::Buffer::read_int<unsigned int>(long, bool) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:277:17
    #1 0x5a1b6c4573b1 in imageinfo::Buffer::read_u32_be(long) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:261:56
    #2 0x5a1b6c4573b1 in imageinfo::try_avif_heic(imageinfo::ReadInterface&, unsigned long, imageinfo::ImageInfo&) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:513:36
    #3 0x5a1b6c452919 in imageinfo::parse(imageinfo::ReadInterface&, imageinfo::Format, std::vector<imageinfo::Format, std::allocator<imageinfo::Format> > const&, bool) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:1304:13
    #4 0x5a1b6c451819 in imageinfo::ImageInfo imageinfo::parse<imageinfo::FilePathReader, char const*>(char const* const&, imageinfo::Format, std::vector<imageinfo::Format, std::allocator<imageinfo::Format> > const&, bool) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:1328:12
    #5 0x5a1b6c450a67 in imageinfo::ImageInfo imageinfo::parse<imageinfo::FilePathReader, char const*>(char const* const&, std::vector<imageinfo::Format, std::allocator<imageinfo::Format> > const&, bool) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:1335:12
    #6 0x5a1b6c450a67 in main /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/cli/main.cpp:14:21
    #7 0x794ad2e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x794ad2e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #9 0x5a1b6c390614 in _start (/home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/build/imageinfo+0x24614) (BuildId: 59b45231102966b7a09c44611c2f3cfdd1082382)

0x612000000142 is located 0 bytes to the right of 258-byte region [0x612000000040,0x612000000142)
allocated by thread T0 here:
    #0 0x5a1b6c44e33d in operator new[](unsigned long) (/home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/build/imageinfo+0xe233d) (BuildId: 59b45231102966b7a09c44611c2f3cfdd1082382)
    #1 0x5a1b6c455327 in imageinfo::Buffer::alloc(unsigned long) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:233:42
    #2 0x5a1b6c457123 in imageinfo::try_avif_heic(imageinfo::ReadInterface&, unsigned long, imageinfo::ImageInfo&) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:496:17
    #3 0x5a1b6c452919 in imageinfo::parse(imageinfo::ReadInterface&, imageinfo::Format, std::vector<imageinfo::Format, std::allocator<imageinfo::Format> > const&, bool) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:1304:13
    #4 0x5a1b6c451819 in imageinfo::ImageInfo imageinfo::parse<imageinfo::FilePathReader, char const*>(char const* const&, imageinfo::Format, std::vector<imageinfo::Format, std::allocator<imageinfo::Format> > const&, bool) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:1328:12
    #5 0x5a1b6c450a67 in imageinfo::ImageInfo imageinfo::parse<imageinfo::FilePathReader, char const*>(char const* const&, std::vector<imageinfo::Format, std::allocator<imageinfo::Format> > const&, bool) /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:1335:12
    #6 0x5a1b6c450a67 in main /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/cli/main.cpp:14:21
    #7 0x794ad2e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dehua/Desktop/fuzz/fuzz_project/image_fuzzing/imageinfo/include/imageinfo.hpp:277:17 in unsigned int imageinfo::Buffer::read_int<unsigned int>(long, bool)
Shadow bytes around the buggy address:
  0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8020: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa
  0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==674991==ABORTING

[xiaozhuai]

@chan233 I've tried all the 25 crash samples, but I didn't repro it. Did you checkout this pr and rebuild imageinfo_cli?

xiaozhuai@xiaozhuai-m3-mbp ~/work/imageinfo (chan233-master) $ for file in $(ls /Users/xiaozhuai/Desktop/new_crashs); do ./cmake-build-release/imageinfo /Users/xiaozhuai/Desktop/$file; done
File: /Users/xiaozhuai/Desktop/crash_1
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_2
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_3
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_4
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_5
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_6
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_7
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_8
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_9
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_10
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_11
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_12
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_13
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_14
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_15
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_16
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_17
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_18
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_19
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_20
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_21
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_22
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_23
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_24
  - Error    : Unrecognized format
File: /Users/xiaozhuai/Desktop/crash_25
  - Error    : Unrecognized format

[chan233]

@xiaozhuai Using this CMakeLists file for compilation, you will see the crash logs CMakeLists.txt

[xiaozhuai]

new_crashs.tar.gz @xiaozhuai

@chan233 Fixed

[chan233]

@xiaozhuai You can run your batch command several times. Although it's occasional, it can still trigger a 'Segmentation fault.'

for file in $(ls ../../new_crashs); do echo $file ;./imageinfo $file; done
crash_1
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
Segmentation fault
crash_10
File: crash_10
  - Error    : Unrecognized format
crash_11
File: crash_11
  - Error    : Unrecognized format
crash_12
File: crash_12
  - Error    : Unrecognized format
crash_13
File: crash_13
  - Error    : Unrecognized format
crash_14
File: crash_14
  - Error    : Unrecognized format
crash_15
File: crash_15
  - Error    : Unrecognized format
crash_16
File: crash_16
  - Error    : Unrecognized format
crash_17
File: crash_17
  - Error    : Unrecognized format
crash_18
File: crash_18
  - Error    : Unrecognized format
crash_19
File: crash_19
  - Error    : Unrecognized format
crash_2
File: crash_2
  - Error    : Unrecognized format
crash_20
File: crash_20
  - Error    : Unrecognized format
crash_21
File: crash_21
  - Error    : Unrecognized format
crash_22
File: crash_22
  - Error    : Unrecognized format
crash_23
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
Segmentation fault
crash_24
File: crash_24
  - Error    : Unrecognized format
crash_25
File: crash_25
  - Error    : Unrecognized format
crash_3
File: crash_3
  - Error    : Unrecognized format
crash_4
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
Segmentation fault
crash_5
File: crash_5
  - Error    : Unrecognized format
crash_6
File: crash_6
  - Error    : Unrecognized format
crash_7
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
Segmentation fault
crash_8
File: crash_8
  - Error    : Unrecognized format
crash_9
File: crash_9
  - Error    : Unrecognized format

[xiaozhuai]

@chan233 Very odd, I can't repro it.

[chan233]

@xiaozhuai Maybe it's an issue with my computer. Currently, the tests are not showing any problems, so I think we can merge the branches.

[xiaozhuai]

I think we can merge the branches.

Ok, thanks for the contribution. I will merge this pr soon.