cmft
cmft copied to clipboard
Published
20 hours ago •
dariomanesku
dariomanesku
Heap buffer overflow on cmft::imageLoadTga
Hi,
Our fuzzer found a crash due to a heap buffer overflow on the function cmft::imageLoadTga. I built cmft (the latest commit 06a3516 on master) using the configuration "release64" on Ubuntu 16.04 (64-bit).
PoC_hbo_imageLoadTga: https://github.com/strongcourage/PoCs/blob/master/cmft_06a3516/PoC_hbo_imageLoadTga
cmftRelease --input PoC_hbo_imageLoadTga --output0 /dev/null
CMFT info: Converting octant image to cubemap.
*** Error in `./cmftRelease': free(): invalid next size (normal): 0x0000000002513ea0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fd312c387e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fd312c4137a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fd312c4553c]
./cmftRelease[0x41dbc1]
./cmftRelease[0x41812a]
./cmftRelease[0x43cc05]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fd312be1830]
./cmftRelease[0x402269]
======= Memory map: ========
00400000-0044e000 r-xp 00000000 103:01 3678247 /home/dungnguyen/PoCs/cmft_06a3516/cmftRelease
0064d000-0064e000 r--p 0004d000 103:01 3678247 /home/dungnguyen/PoCs/cmft_06a3516/cmftRelease
0064e000-0064f000 rw-p 0004e000 103:01 3678247 /home/dungnguyen/PoCs/cmft_06a3516/cmftRelease
0064f000-006a2000 rw-p 00000000 00:00 0
02501000-02533000 rw-p 00000000 00:00 0 [heap]
7fd30c000000-7fd30c021000 rw-p 00000000 00:00 0
7fd30c021000-7fd310000000 ---p 00000000 00:00 0
7fd312bc1000-7fd312d81000 r-xp 00000000 103:03 4718690 /lib/x86_64-linux-gnu/libc-2.23.so
7fd312d81000-7fd312f81000 ---p 001c0000 103:03 4718690 /lib/x86_64-linux-gnu/libc-2.23.so
7fd312f81000-7fd312f85000 r--p 001c0000 103:03 4718690 /lib/x86_64-linux-gnu/libc-2.23.so
7fd312f85000-7fd312f87000 rw-p 001c4000 103:03 4718690 /lib/x86_64-linux-gnu/libc-2.23.so
7fd312f87000-7fd312f8b000 rw-p 00000000 00:00 0
7fd312f8b000-7fd312fa1000 r-xp 00000000 103:03 4723208 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd312fa1000-7fd3131a0000 ---p 00016000 103:03 4723208 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3131a0000-7fd3131a1000 rw-p 00015000 103:03 4723208 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3131a1000-7fd3132a9000 r-xp 00000000 103:03 4723188 /lib/x86_64-linux-gnu/libm-2.23.so
7fd3132a9000-7fd3134a8000 ---p 00108000 103:03 4723188 /lib/x86_64-linux-gnu/libm-2.23.so
7fd3134a8000-7fd3134a9000 r--p 00107000 103:03 4723188 /lib/x86_64-linux-gnu/libm-2.23.so
7fd3134a9000-7fd3134aa000 rw-p 00108000 103:03 4723188 /lib/x86_64-linux-gnu/libm-2.23.so
7fd3134aa000-7fd31361c000 r-xp 00000000 103:03 5376129 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd31361c000-7fd31381c000 ---p 00172000 103:03 5376129 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd31381c000-7fd313826000 r--p 00172000 103:03 5376129 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd313826000-7fd313828000 rw-p 0017c000 103:03 5376129 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd313828000-7fd31382c000 rw-p 00000000 00:00 0
7fd31382c000-7fd313844000 r-xp 00000000 103:03 4718677 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313844000-7fd313a43000 ---p 00018000 103:03 4718677 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313a43000-7fd313a44000 r--p 00017000 103:03 4718677 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313a44000-7fd313a45000 rw-p 00018000 103:03 4718677 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313a45000-7fd313a49000 rw-p 00000000 00:00 0
7fd313a49000-7fd313a4c000 r-xp 00000000 103:03 4718675 /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313a4c000-7fd313c4b000 ---p 00003000 103:03 4718675 /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313c4b000-7fd313c4c000 r--p 00002000 103:03 4718675 /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313c4c000-7fd313c4d000 rw-p 00003000 103:03 4718675 /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313c4d000-7fd313c54000 r-xp 00000000 103:03 4718609 /lib/x86_64-linux-gnu/librt-2.23.so
7fd313c54000-7fd313e53000 ---p 00007000 103:03 4718609 /lib/x86_64-linux-gnu/librt-2.23.so
7fd313e53000-7fd313e54000 r--p 00006000 103:03 4718609 /lib/x86_64-linux-gnu/librt-2.23.so
7fd313e54000-7fd313e55000 rw-p 00007000 103:03 4718609 /lib/x86_64-linux-gnu/librt-2.23.so
7fd313e55000-7fd313e7b000 r-xp 00000000 103:03 4718676 /lib/x86_64-linux-gnu/ld-2.23.so
7fd31404a000-7fd314051000 rw-p 00000000 00:00 0
7fd314079000-7fd31407a000 rw-p 00000000 00:00 0
7fd31407a000-7fd31407b000 r--p 00025000 103:03 4718676 /lib/x86_64-linux-gnu/ld-2.23.so
7fd31407b000-7fd31407c000 rw-p 00026000 103:03 4718676 /lib/x86_64-linux-gnu/ld-2.23.so
7fd31407c000-7fd31407d000 rw-p 00000000 00:00 0
7ffe419b8000-7ffe419da000 rw-p 00000000 00:00 0 [stack]
7ffe419dd000-7ffe419e0000 r--p 00000000 00:00 0 [vvar]
7ffe419e0000-7ffe419e2000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
ASAN says:
cmftRelease-asan --input PoC_hbo_imageLoadTga --output0 /dev/null
=================================================================
==18117==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x7f26c41d7904 bp 0x7fff6b3bb500 sp 0x7fff6b3baca8
WRITE of size 3 at 0x60400000e000 thread T0
#0 0x7f26c41d7903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x434027 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x434027 in cmft::imageLoadTga(cmft::Image&, cmft::Rw*, cmft::AllocatorI*) ../../src/cmft/image.cpp:4942
#3 0x4344b3 in cmft::imageLoad(cmft::Image&, cmft::Rw*, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:5039
#4 0x4348a9 in cmft::imageLoad(cmft::Image&, char const*, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:5062
#5 0x475600 in cmftMain(int, char const* const*) ../../src/cmft_cli/cmft_cli.h:895
#6 0x7f26c2ed782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x403608 in _start (/home/dungnguyen/PoCs/cmft_06a3516/cmftRelease-asan+0x403608)
0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
#0 0x7f26c41e3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x433f18 in cmft::imageLoadTga(cmft::Image&, cmft::Rw*, cmft::AllocatorI*) ../../src/cmft/image.cpp:4899
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18117==ABORTING
Thanks, Manh Dung
