psdump icon indicating copy to clipboard operation
psdump copied to clipboard

Published 20 hours ago verified publisher icon alco

heap-buffer-overflow in Function psd_get_image_resource()

Open Asteriska001 opened this issue 2 years ago • 0 comments

Description A heap-buffer-overflow was discovered in psdump. The issue is being triggered in function psd_get_image_resource()

Environment Ubuntu 18.04, 64bit

Reproduce Command git clone the Lastest Version firstly. make && make install ./psdump poc

With ASAN Note: You can use ASAN for more direct verification. Compile program with address sanitizer with this command:

obj-files = build/main.o build/Document.o build/Layer.o build/Record.o build/LayerGroup.o build/TextFormatter.o build/XmlFormatter.o build/PlistFormatter.o build/PsdParser.o build/JsonFormatter.o build/lodepng.o libpsd-objects = adjustment.o bevel_emboss.o bitmap.o blend.o boundary.o brightness_contrast.o channel_image.o channel_mixer.o color.o color_balance.o color_mode.o color_overlay.o curves.o descriptor.o drop_shadow.o effects.o file_header.o fixed.o gaussian_blur.o gradient_blend.o gradient_fill.o gradient_map.o gradient_overlay.o hue_saturation.o image_data.o image_resource.o inner_glow.o inner_shadow.o invert.o layer_mask.o levels.o outer_glow.o path.o pattern.o pattern_fill.o pattern_overlay.o photo_filter.o posterize.o psd.o psd_system.o psd_zip.o rect.o satin.o selective_color.o solid_color.o stream.o stroke.o threshold.o thumbnail.o type_tool.o

psdump: build_dir build/libpsd-0.9 $(obj-files) g++ -fsanitize=address $(obj-files) $(libpsd-objects) -o build/psdump

build/libpsd-0.9: gcc -fsanitize=address -Ilibpsd-0.9/include -c libpsd-0.9/src/*.c touch build/libpsd-0.9

build_dir: mkdir -p build

build/main.o: src/main.cpp src/Document.h src/formatter/TextFormatter.h src/formatter/XmlFormatter.h src/formatter/JsonFormatter.h src/parser/PsdParser.h g++ -fsanitize=address -c -Wno-write-strings -Ilibpsd-0.9/include src/main.cpp -o build/main.o build/Document.o: src/Document.cpp src/Document.h g++ -fsanitize=address -c src/Document.cpp -o build/Document.o build/Layer.o: src/Layer.cpp src/Layer.h g++ -fsanitize=address -c src/Layer.cpp -o build/Layer.o build/Record.o: src/Record.cpp src/Record.h g++ -fsanitize=address -c src/Record.cpp -o build/Record.o build/LayerGroup.o: src/LayerGroup.cpp src/LayerGroup.h g++ -fsanitize=address -c src/LayerGroup.cpp -o build/LayerGroup.o build/TextFormatter.o: src/formatter/TextFormatter.cpp src/formatter/TextFormatter.h g++ -fsanitize=address -c src/formatter/TextFormatter.cpp -o build/TextFormatter.o build/PlistFormatter.o: src/formatter/PlistFormatter.cpp src/formatter/PlistFormatter.h g++ -fsanitize=address -c src/formatter/PlistFormatter.cpp -o build/PlistFormatter.o build/XmlFormatter.o: src/formatter/XmlFormatter.cpp src/formatter/XmlFormatter.h g++ -fsanitize=address -c src/formatter/XmlFormatter.cpp -o build/XmlFormatter.o build/JsonFormatter.o: src/formatter/JsonFormatter.cpp src/formatter/JsonFormatter.h g++ -fsanitize=address -c src/formatter/JsonFormatter.cpp -o build/JsonFormatter.o build/PsdParser.o: src/parser/PsdParser.cpp src/parser/PsdParser.h g++ -fsanitize=address -c -Ilibpsd-0.9/include src/parser/PsdParser.cpp -o build/PsdParser.o

build/lodepng.o: src/lodepng/lodepng.cpp src/lodepng/lodepng.h g++ -fsanitize=address-c src/lodepng/lodepng.cpp -o build/lodepng.o

.PHONY: clean, tidyup, shtest, test test: python test/test.py shtest: test/test.sh tidyup: rm -f build/*.o rm -f build/libpsd-0.9 rm -f *.o clean: rm -rf build rm -f *.o

ASAN:

=================================================================
==24539==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4a726fe862 at pc 0x7f4a7605b3a7 bp 0x7ffd3921d600 sp 0x7ffd3921cda8
READ of size 14942410 at 0x7f4a726fe862 thread T0
#0 0x7f4a7605b3a6 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x55b95e45c40d in psd_get_image_resource libpsd-0.9/src/image_resource.c:326
#2 0x55b95e475d17 in psd_main_loop libpsd-0.9/src/psd.c:186
#3 0x55b95e475903 in psd_image_load_tag libpsd-0.9/src/psd.c:81
#4 0x55b95e47598b in psd_image_load libpsd-0.9/src/psd.c:100
#5 0x55b95e3c913f in PsdParser::parse() src/parser/PsdParser.cpp:45
#6 0x55b95e3c45b3 in main src/main.cpp:163
#7 0x7f4a75acf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#8 0x55b95e3c3c8d in _start (/AFLplusplus/my_test/tanuki/asan_bin/psdump_x+0xfc8d)

0x7f4a726fe862 is located 0 bytes to the right of 7340130-byte region [0x7f4a71ffe800,0x7f4a726fe862)
allocated by thread T0 here:
#0 0x7f4a760d5c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55b95e475ee1 in psd_malloc libpsd-0.9/src/psd_system.c:10
#2 0x55b95e45bbe5 in psd_get_image_resource libpsd-0.9/src/image_resource.c:294
#3 0x55b95e475d17 in psd_main_loop libpsd-0.9/src/psd.c:186
#4 0x55b95e475903 in psd_image_load_tag libpsd-0.9/src/psd.c:81
#5 0x55b95e47598b in psd_image_load libpsd-0.9/src/psd.c:100
#6 0x55b95e3c913f in PsdParser::parse() src/parser/PsdParser.cpp:45
#7 0x55b95e3c45b3 in main src/main.cpp:163
#8 0x7f4a75acf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0fe9ce4d7cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9ce4d7cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9ce4d7cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9ce4d7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9ce4d7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9ce4d7d00: 00 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa
0x0fe9ce4d7d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9ce4d7d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9ce4d7d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9ce4d7d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9ce4d7d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24539==ABORTING

POC:

000017.zip

Asteriska001 avatar Apr 07 '22 15:04 Asteriska001