Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

a heap buffer overflow in in_bmp.cpp:31 #59

Closed
puppet-meteor opened this issue Oct 15, 2018 · 1 comment
Closed

a heap buffer overflow in in_bmp.cpp:31 #59

puppet-meteor opened this issue Oct 15, 2018 · 1 comment

Comments

@puppet-meteor
Copy link

A crafted input will lead to a heap buffer overflow in in_bmp.cpp:31 at sam2p 0.49.4.

Trigger by
./sam2p sam2p_1 EPS: /dev/null

POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/sam2p_1

Version: sam2p 0.49.4

ASAN infomation:

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
=================================================================
==2962==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f992d7feafc at pc 0x7f9930ca3935 bp 0x7ffd322021f0 sp 0x7ffd32201998
READ of size 5912820 at 0x7f992d7feafc thread T0
    #0 0x7f9930ca3934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x4282b4 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x4282b4 in in_bmp_reader /home/puppet/target/sam2p-gdb/in_bmp.cpp:31
    #3 0x478f1b in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/puppet/target/sam2p-gdb/image.cpp:1427
    #4 0x403a96 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1024
    #5 0x40264f in main /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1117
    #6 0x7f993086d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x402f98 in _start (/usr/local/bin/sam2p+0x402f98)

0x7f992d7feafc is located 0 bytes to the right of 1970940-byte region [0x7f992d61d800,0x7f992d7feafc)
allocated by thread T0 here:
    #0 0x7f9930caf602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x41f2aa in emulate_cc_new /home/puppet/target/sam2p-gdb/c_lgcc.cpp:35
    #2 0x41f2aa in operator new[](unsigned long) /home/puppet/target/sam2p-gdb/c_lgcc.cpp:55
    #3 0x426f63 in ReadImage /home/puppet/target/sam2p-gdb/input-bmp.ci:277
    #4 0x426f63 in bmp_load_image(_IO_FILE*) /home/puppet/target/sam2p-gdb/input-bmp.ci:206
    #5 0x42823c in in_bmp_reader /home/puppet/target/sam2p-gdb/in_bmp.cpp:23
    #6 0x478f1b in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/puppet/target/sam2p-gdb/image.cpp:1427
    #7 0x403a96 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1024
    #8 0x40264f in main /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1117
    #9 0x7f993086d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0ff3a5af7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3a5af7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3a5af7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3a5af7d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3a5af7d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff3a5af7d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
  0x0ff3a5af7d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff3a5af7d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff3a5af7d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff3a5af7d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff3a5af7da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==2962==ABORTING

found by puppet@zju.edu.cn from NESA Lab in Zhejiang University.
@pts
Copy link
Owner

pts commented Oct 15, 2018

Thank you for reporting this! I'm not able to reproduce this bug with the latest sam2p HEAD (d2656be), so I'm closing this issue now. Feel free to report more issues, but please check that you have d2656be or later checked out.

$ ./sam2p.asan sam2p_1 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p.asan: Error: BMP: Invalid bpp.

@pts pts closed this as completed Oct 15, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pts @puppet-meteor