psdump icon indicating copy to clipboard operation
psdump copied to clipboard

Published 20 hours ago verified publisher icon alco

negative-size-param in Function psd_get_layer_unicode_name()

Open watchXdog opened this issue 2 years ago • 0 comments

Description

A negative-size-param was discovered in psdump.
The issue is being triggered in function psd_get_layer_unicode_name()

Version

psdump v0.9.1

Environment

Ubuntu 20.04.2 LTS

Command

Compile test program:

$ make&&make install

Compile test program with address sanitizer:

obj-files = build/main.o build/Document.o build/Layer.o build/Record.o build/LayerGroup.o build/TextFormatter.o build/XmlFormatter.o build/PlistFormatter.o build/PsdParser.o build/JsonFormatter.o
build/lodepng.o
libpsd-objects = adjustment.o bevel_emboss.o bitmap.o blend.o boundary.o brightness_contrast.o channel_image.o channel_mixer.o color.o color_balance.o color_mode.o color_overlay.o
curves.o descriptor.o drop_shadow.o effects.o file_header.o fixed.o gaussian_blur.o gradient_blend.o gradient_fill.o gradient_map.o gradient_overlay.o hue_saturation.o image_data.o
image_resource.o inner_glow.o inner_shadow.o invert.o layer_mask.o levels.o outer_glow.o path.o pattern.o pattern_fill.o pattern_overlay.o photo_filter.o posterize.o psd.o psd_system.o
psd_zip.o rect.o satin.o selective_color.o solid_color.o stream.o stroke.o threshold.o thumbnail.o type_tool.o

psdump: build_dir build/libpsd-0.9 $(obj-files)
g++ -fsanitize=address $(obj-files) $(libpsd-objects) -o build/psdump

build/libpsd-0.9:
gcc -fsanitize=address -Ilibpsd-0.9/include -c libpsd-0.9/src/*.c
touch build/libpsd-0.9

build_dir:
mkdir -p build

build/main.o: src/main.cpp src/Document.h src/formatter/TextFormatter.h src/formatter/XmlFormatter.h src/formatter/JsonFormatter.h src/parser/PsdParser.h
g++ -fsanitize=address -c -Wno-write-strings -Ilibpsd-0.9/include src/main.cpp -o build/main.o
build/Document.o: src/Document.cpp src/Document.h
g++ -fsanitize=address -c src/Document.cpp -o build/Document.o
build/Layer.o: src/Layer.cpp src/Layer.h
g++ -fsanitize=address -c src/Layer.cpp -o build/Layer.o
build/Record.o: src/Record.cpp src/Record.h
g++ -fsanitize=address -c src/Record.cpp -o build/Record.o
build/LayerGroup.o: src/LayerGroup.cpp src/LayerGroup.h
g++ -fsanitize=address -c src/LayerGroup.cpp -o build/LayerGroup.o
build/TextFormatter.o: src/formatter/TextFormatter.cpp src/formatter/TextFormatter.h
g++ -fsanitize=address -c src/formatter/TextFormatter.cpp -o build/TextFormatter.o
build/PlistFormatter.o: src/formatter/PlistFormatter.cpp src/formatter/PlistFormatter.h
g++ -fsanitize=address -c src/formatter/PlistFormatter.cpp -o build/PlistFormatter.o
build/XmlFormatter.o: src/formatter/XmlFormatter.cpp src/formatter/XmlFormatter.h
g++ -fsanitize=address -c src/formatter/XmlFormatter.cpp -o build/XmlFormatter.o
build/JsonFormatter.o: src/formatter/JsonFormatter.cpp src/formatter/JsonFormatter.h
g++ -fsanitize=address -c src/formatter/JsonFormatter.cpp -o build/JsonFormatter.o
build/PsdParser.o: src/parser/PsdParser.cpp src/parser/PsdParser.h
g++ -fsanitize=address -c -Ilibpsd-0.9/include src/parser/PsdParser.cpp -o build/PsdParser.o

build/lodepng.o: src/lodepng/lodepng.cpp src/lodepng/lodepng.h
g++ -fsanitize=address-c src/lodepng/lodepng.cpp -o build/lodepng.o
.PHONY: clean, tidyup, shtest, test
test:
python test/test.py
shtest:
test/test.sh
tidyup:
rm -f build/*.o
rm -f build/libpsd-0.9
rm -f *.o
clean:
rm -rf build
rm -f *.o
### With ASAN
Note: You can use ASAN for more direct verification.
Compile program with address sanitizer with this command:

Compile program:

$ make&&make install

Result:

The result of running without ASAN:

$./psdump poc
Segmentation fault (core dumped)

Information obtained by using ASAN:

$./psdump poc
==6127==ERROR: AddressSanitizer: negative-size-param: (size=-4000992926)
    #0 0x497e19 in __asan_memset (/home/fuzz/demo/psdump/build/psdump+0x497e19)
    #1 0x591abe in psd_get_layer_unicode_name /home/fuzz/demo/psdump/libpsd-0.9/src/layer_mask.c:80:2
    #2 0x591abe in psd_get_layer_info /home/fuzz/demo/psdump/libpsd-0.9/src/layer_mask.c:625:15
    #3 0x58fb9e in psd_get_layer_and_mask /home/fuzz/demo/psdump/libpsd-0.9/src/layer_mask.c:785:11
    #4 0x5a8e21 in psd_main_loop /home/fuzz/demo/psdump/libpsd-0.9/src/psd.c:194:14
    #5 0x5a8e21 in psd_image_load_tag /home/fuzz/demo/psdump/libpsd-0.9/src/psd.c:81:11
    #6 0x4d0075 in PsdParser::parse() (/home/fuzz/demo/psdump/build/psdump+0x4d0075)
    #7 0x4cb502 in main (/home/fuzz/demo/psdump/build/psdump+0x4cb502)
    #8 0x7f28fa145082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41e6ad in _start (/home/fuzz/demo/psdump/build/psdump+0x41e6ad)
0x7f28e52a1800 is located 0 bytes inside of 293974370-byte region [0x7f28e52a1800,0x7f28f6afc962)
allocated by thread T0 here:
    #0 0x49871d in malloc (/home/fuzz/demo/psdump/build/psdump+0x49871d)
    #1 0x591a54 in psd_get_layer_unicode_name /home/fuzz/demo/psdump/libpsd-0.9/src/layer_mask.c:77:38
    #2 0x591a54 in psd_get_layer_info /home/fuzz/demo/psdump/libpsd-0.9/src/layer_mask.c:625:15
    #3 0x58fb9e in psd_get_layer_and_mask /home/fuzz/demo/psdump/libpsd-0.9/src/layer_mask.c:785:11
SUMMARY: AddressSanitizer: negative-size-param (/home/fuzz/demo/psdump/build/psdump+0x497e19) in __asan_memset
==6127==ABORTING

POC

Poc file is this

watchXdog avatar May 13 '22 08:05 watchXdog