Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bound read-2 in dec_clnpass #126

Closed
adarshdinesh opened this issue Mar 25, 2017 · 1 comment
Closed

Out of bound read-2 in dec_clnpass #126

adarshdinesh opened this issue Mar 25, 2017 · 1 comment

Comments

@adarshdinesh
Copy link

gdb-peda$ r out_of_bound_2_dec_clnpass
Starting program: /home/sandbox/Desktop/fuzz/bin out_of_bound_2_dec_clnpass
warning: ignoring trailing garbage (127 bytes)
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: bad segmentation symbol
warning: ignoring trailing garbage (111 bytes)
warning: bad segmentation symbol

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x180
RBX: 0x8a4a20 --> 0x0
RCX: 0x8a4a70 --> 0x7ffff7dcea40 --> 0xac1
RDX: 0xffffffff0060b898
RSI: 0x8a4a20 --> 0x0
RDI: 0x8a4a20 --> 0x0
RBP: 0x7fffffffdb90 --> 0x7fffffffdc10 --> 0x7fffffffdc80 --> 0x7fffffffdd00 --> 0x7fffffffdd40 --> 0x7fffffffdd80 (--> ...)
RSP: 0x7fffffffdac0 --> 0x0
RIP: 0x7ffff7ba57f8 (<dec_clnpass+1561>: mov QWORD PTR [rdx],rax)
R8 : 0x1
R9 : 0x1
R10: 0x1
R11: 0x1
R12: 0x400d80 (<_start>: xor ebp,ebp)
R13: 0x7fffffffdf40 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7ba57ec <dec_clnpass+1549>: mov eax,DWORD PTR [rbp-0x8c]
0x7ffff7ba57f2 <dec_clnpass+1555>: cdqe
0x7ffff7ba57f4 <dec_clnpass+1557>: mov rdx,QWORD PTR [rbp-0x38]
=> 0x7ffff7ba57f8 <dec_clnpass+1561>: mov QWORD PTR [rdx],rax
0x7ffff7ba57fb <dec_clnpass+1564>: mov eax,DWORD PTR [rbp-0x80]
0x7ffff7ba57fe <dec_clnpass+1567>: cdqe
0x7ffff7ba5800 <dec_clnpass+1569>: shl rax,0x3
0x7ffff7ba5804 <dec_clnpass+1573>: neg rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdac0 --> 0x0
0008| 0x7fffffffdac8 --> 0x100000001
0016| 0x7fffffffdad0 --> 0x800000002
0024| 0x7fffffffdad8 --> 0x0
0032| 0x7fffffffdae0 --> 0x7fffffffdf40 --> 0x2
0040| 0x7fffffffdae8 --> 0x0
0048| 0x7fffffffdaf0 --> 0x100000001
0056| 0x7fffffffdaf8 --> 0x10000000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7ba57f8 in dec_clnpass () from /usr/lib/libjasper.so.4

gdb-peda$ backtrace
#0 0x00007ffff7ba57f8 in dec_clnpass () from /usr/lib/libjasper.so.4
#1 0x00007ffff7ba2272 in jpc_dec_decodecblk () from /usr/lib/libjasper.so.4
#2 0x00007ffff7ba1b86 in jpc_dec_decodecblks () from /usr/lib/libjasper.so.4
#3 0x00007ffff7b8b5d2 in jpc_dec_tiledecode () from /usr/lib/libjasper.so.4
#4 0x00007ffff7b89cb4 in jpc_dec_process_sod () from /usr/lib/libjasper.so.4
#5 0x00007ffff7b89425 in jpc_dec_decode () from /usr/lib/libjasper.so.4
#6 0x00007ffff7b89005 in jpc_decode () from /usr/lib/libjasper.so.4
#7 0x00007ffff7b731cd in jas_image_decode () from /usr/lib/libjasper.so.4
#8 0x0000000000400f4f in main ()
#9 0x00007ffff74ac830 in __libc_start_main (main=0x400e76

, argc=0x2, argv=0x7fffffffdf48, init=, fini=,
rtld_fini=, stack_end=0x7fffffffdf38) at ../csu/libc-start.c:291
#10 0x0000000000400da9 in _start ()
gdb-peda$

out_of_bound_2_dec_clnpass.zip
@asarubbo
Copy link

This is a duplicate of the already reported #90

FTR, asan reports a WRITE issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adarshdinesh @asarubbo