Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow /src/exiv2/src/webpimage.cpp:563 Exiv2::WebPImage::decodeChunks(unsigned long) #378

Closed
cool-tomato opened this issue Jul 9, 2018 · 1 comment
Closed

AddressSanitizer: heap-buffer-overflow /src/exiv2/src/webpimage.cpp:563 Exiv2::WebPImage::decodeChunks(unsigned long) #378

cool-tomato opened this issue Jul 9, 2018 · 1 comment
Milestone
v0.27

Comments

@cool-tomato
Copy link

cool-tomato commented Jul 9, 2018
edited by D4N
Loading 

$ exiv2 -pp $POC 

=================================================================
==23==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef32 at pc 0x7f19a962fc0e bp 0x7fff01cdcc00 sp 0x7fff01cdcbf0
READ of size 3 at 0x60200000ef32 thread T0
    #0 0x7f19a962fc0d in Exiv2::WebPImage::decodeChunks(unsigned long) /src/exiv2/src/webpimage.cpp:563
    #1 0x7f19a9634cbe in Exiv2::WebPImage::readMetadata() /src/exiv2/src/webpimage.cpp:496
    #2 0x462b13 in Action::Print::printPreviewList() /src/exiv2/src/actions.cpp:801
    #3 0x46f837 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /src/exiv2/src/actions.cpp:254
    #4 0x40c735 in main /src/exiv2/src/exiv2.cpp:166
    #5 0x7f19a87b482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x40d688 in _start (/src/aflbuild/installed/bin/exiv2+0x40d688)

0x60200000ef34 is located 0 bytes to the right of 4-byte region [0x60200000ef30,0x60200000ef34)
allocated by thread T0 here:
    #0 0x7f19a9f656b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x7f19a962bbc7 in Exiv2::DataBuf::DataBuf(long) /src/exiv2/include/exiv2/types.hpp:206
    #2 0x7f19a962bbc7 in Exiv2::WebPImage::decodeChunks(unsigned long) /src/exiv2/src/webpimage.cpp:517

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/exiv2/src/webpimage.cpp:563 Exiv2::WebPImage::decodeChunks(unsigned long)
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa[04]fa fa fa 05 fa fa fa 05 fa
  0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==23==ABORTING

1-poc-heapoverflow
D4N added a commit to D4N/exiv2 that referenced this issue Jul 9, 2018
@D4N
[testsuite] Add reproducer for Exiv2#378 to the testsuite
f8fc2e6
D4N added a commit to D4N/exiv2 that referenced this issue Jul 9, 2018
@D4N
[webp] Enforce minimum read size in decodeChunks
49bfe84 
The size parameter is only checked for upper bounds, but not for lower.
If it is too small, then created dataBuf will be too small and overflow in one
of the subsequent memcpy() calls.

This fixes Exiv2#378
@kirotawa
Copy link

It was assigned this CVE number for this issue https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14046

D4N added a commit to D4N/exiv2 that referenced this issue Jul 16, 2018
@D4N
[testsuite] Add reproducer for Exiv2#378/CVE-2018-14046 to the testsuite
f522cbf
@D4N D4N closed this as completed in 81b6d36 Jul 16, 2018
D4N added a commit that referenced this issue Jul 16, 2018
@D4N
Merge pull request #379 from D4N/fix_378
505e241 
Fix for #378
@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.27
Development

No branches or pull requests
3 participants
@kirotawa @clanmills @cool-tomato