LuPng icon indicating copy to clipboard operation
LuPng copied to clipboard
verified publisher icon jansol

AddressSanitizer: heap-buffer-overflow in mz_zip_reader_end_internal /LuPng/miniz.h:5166

Open ambrosecm opened this issue 9 months ago • 1 comments

Desctiption

When using the mz_zip_reader_end_internal function to handle a specific input. AddressSanitizer: heap-buffer-overflow in mz_zip_reader_end_internal /LuPng/miniz.h:5166

https://github.com/jansol/LuPng/blob/5ec546e0d16d0fb9316967949b2676227eb93736/miniz.h#L5159-L5166

Test Environment

Ubuntu 22.04.1, 64bit LuPng(commits on Aug 28, 2021 master https://github.com/jansol/LuPng/commit/5ec546e0d16d0fb9316967949b2676227eb93736) program source file

How to trigger

Download the poc file , program and run the following cmd:

 $ ./mz_zip_reader_end_internal ./poc2

Detail

ASAN report

(gdb) r
Starting program: /home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/crashes/miniz.h/generate/mz_zip_reader_end_internal/mz_zip_reader_end_internal output/default/crashes/id:000000,sig:06,src:000000,time:1482,execs:418,op:havoc,rep:14
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
=================================================================
==3189289==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c6ff6c20088 at pc 0x5555556cb413 bp 0x7fffffffd660 sp 0x7fffffffd658
READ of size 8 at 0x7c6ff6c20088 thread T0
[Detaching after fork from child process 3189292]
    #0 0x5555556cb412 in mz_zip_reader_end_internal /home/ambrose/vsproject/TestLib/LuPng/miniz.h:5166:17
    #1 0x55555577f8a3 in main /home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/harness/code/miniz.h/generate/mz_zip_reader_end_internal.c:35:22
    #2 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x555555583434 in _start (/home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/crashes/miniz.h/generate/mz_zip_reader_end_internal/mz_zip_reader_end_internal+0x2f434) (BuildId: 6993946742c815606daff5bb4998043f1c87efb0)

0x7c6ff6c20088 is located 26 bytes after 78-byte region [0x7c6ff6c20020,0x7c6ff6c2006e)
allocated by thread T0 here:
    #0 0x555555626424 in malloc (/home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/crashes/miniz.h/generate/mz_zip_reader_end_internal/mz_zip_reader_end_internal+0xd2424) (BuildId: 6993946742c815606daff5bb4998043f1c87efb0)
    #1 0x55555577f7b6 in main /home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/harness/code/miniz.h/generate/mz_zip_reader_end_internal.c:24:18
    #2 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ambrose/vsproject/TestLib/LuPng/miniz.h:5166:17 in mz_zip_reader_end_internal
Shadow bytes around the buggy address:
  0x7c6ff6c1fe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c6ff6c1fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c6ff6c1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c6ff6c1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7c6ff6c20000: fa fa fa fa 00 00 00 00 00 00 00 00 00 06 fa fa
=>0x7c6ff6c20080: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c6ff6c20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c6ff6c20180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c6ff6c20200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c6ff6c20280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c6ff6c20300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3189289==ABORTING
[Inferior 1 (process 3189289) exited with code 01]

ambrosecm avatar Mar 24 '25 08:03 ambrosecm

Hi! Thanks for the reports. Do the failures in miniz.h still occur if you replace that file with the latest release from https://github.com/richgel999/miniz/releases? If so, it's probably better to report the miniz.h errors to that repo.

jansol avatar Mar 24 '25 08:03 jansol