Menu

#284 A heap-buffer-overflow in png.c:277:21

other
open
nobody
bug (3)
5
2020-08-03
2020-08-03
zhouan
No

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), advpng (advancecomp-2.1)

Command line

./advpng -z -i 1 -q ./heap-overflow-adv_png_unfilter_8-png-272

AddressSanitizer output

=================================================================
==68103==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000009a0 at pc 0x0000005480fa bp 0x7ffc9a53efc0 sp 0x7ffc9a53efb8
READ of size 1 at 0x6190000009a0 thread T0
    #0 0x5480f9 in adv_png_unfilter_8 /home/seviezhou/advancecomp/lib/png.c:277:21
    #1 0x54b70c in adv_png_read_ihdr /home/seviezhou/advancecomp/lib/png.c:766:4
    #2 0x54c85c in adv_png_read_rns /home/seviezhou/advancecomp/lib/png.c:860:9
    #3 0x51e083 in convert_f(adv_fz_struct*, adv_fz_struct*) /home/seviezhou/advancecomp/repng.cc:142:6
    #4 0x51e80d in convert_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/seviezhou/advancecomp/repng.cc:193:3
    #5 0x5215d1 in rezip_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/seviezhou/advancecomp/repng.cc:283:4
    #6 0x522b41 in rezip_all(int, char**) /home/seviezhou/advancecomp/repng.cc:317:3
    #7 0x5258da in process(int, char**) /home/seviezhou/advancecomp/repng.cc:476:3
    #8 0x526647 in main /home/seviezhou/advancecomp/repng.cc:489:3
    #9 0x7f588f04483f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41ccf8 in _start (/home/seviezhou/advancecomp/advpng+0x41ccf8)

0x6190000009a0 is located 0 bytes to the right of 1056-byte region [0x619000000580,0x6190000009a0)
allocated by thread T0 here:
    #0 0x4e0f08 in __interceptor_malloc /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
    #1 0x54b405 in adv_png_read_ihdr /home/seviezhou/advancecomp/lib/png.c:723:13
    #2 0x54c85c in adv_png_read_rns /home/seviezhou/advancecomp/lib/png.c:860:9
    #3 0x51e083 in convert_f(adv_fz_struct*, adv_fz_struct*) /home/seviezhou/advancecomp/repng.cc:142:6
    #4 0x51e80d in convert_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/seviezhou/advancecomp/repng.cc:193:3
    #5 0x5215d1 in rezip_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/seviezhou/advancecomp/repng.cc:283:4
    #6 0x522b41 in rezip_all(int, char**) /home/seviezhou/advancecomp/repng.cc:317:3
    #7 0x5258da in process(int, char**) /home/seviezhou/advancecomp/repng.cc:476:3
    #8 0x526647 in main /home/seviezhou/advancecomp/repng.cc:489:3
    #9 0x7f588f04483f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/advancecomp/lib/png.c:277:21 in adv_png_unfilter_8
Shadow bytes around the buggy address:
  0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==68103==ABORTING
1 Attachments
heap-overflow-adv_png_unfilter_8-png-272.zip

Discussion

Log in to post a comment.

MongoDB Logo MongoDB