tifig icon indicating copy to clipboard operation
tifig copied to clipboard

Published 20 hours ago verified publisher icon monostream

SEGV on unknown address due to vulnerability in heif-forked lib

Open Nalen98 opened this issue 3 years ago • 0 comments

Greetings. I researched this repo and crafted the malformed input which leads to crash at ItemDataBox::read(std::vector<unsigned char, std::allocator<unsigned char> >&, unsigned long, unsigned long) in lib/heif/Srcs/common/itemdatabox.cpp:25.

PoC: PoC.zip

Triggered by:

./tifig -v -p PoC.heic out.jpg Segmentation fault

ASAN report:

$ ./tifig -v -p PoC.heic out.jpg
AddressSanitizer:DEADLYSIGNAL
=================================================================
==671204==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2526563d82 bp 0x7ffd480017a0 sp 0x7ffd48000f08 T0)
==671204==The signal is caused by a READ memory access.
==671204==Hint: address points to the zero page.
    #0 0x7f2526563d81  (/lib/x86_64-linux-gnu/libc.so.6+0xbed81)
    #1 0x7f25287be36e  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b36e)
    #2 0x559c6ae9c034 in unsigned char* std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/9/bits/stl_algobase.h:386
    #3 0x559c6ae9c034 in unsigned char* std::__copy_move_a<false, unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/9/bits/stl_algobase.h:404
    #4 0x559c6ae9c034 in unsigned char* std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/include/c++/9/bits/stl_algobase.h:440
    #5 0x559c6ae9c034 in unsigned char* std::copy<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/include/c++/9/bits/stl_algobase.h:474
    #6 0x559c6ae9c034 in unsigned char* std::__uninitialized_copy<true>::__uninit_copy<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/include/c++/9/bits/stl_uninitialized.h:101
    #7 0x559c6ae9c034 in unsigned char* std::uninitialized_copy<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/include/c++/9/bits/stl_uninitialized.h:140
    #8 0x559c6ae9c034 in unsigned char* std::__uninitialized_copy_a<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, unsigned char>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, std::allocator<unsigned char>&) /usr/include/c++/9/bits/stl_uninitialized.h:307
    #9 0x559c6ae9c034 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag) /usr/include/c++/9/bits/vector.tcc:778
    #10 0x559c6ae9c034 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_insert_dispatch<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::__false_type) /usr/include/c++/9/bits/stl_vector.h:1662
    #11 0x559c6ae9c034 in __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > std::vector<unsigned char, std::allocator<unsigned char> >::insert<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, void>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >) /usr/include/c++/9/bits/stl_vector.h:1380
    #12 0x559c6ae9c034 in ItemDataBox::read(std::vector<unsigned char, std::allocator<unsigned char> >&, unsigned long, unsigned long) const /home/nale/tifig-0.2.3/lib/heif/Srcs/common/itemdatabox.cpp:25
    #13 0x559c6ad0e6df in HevcImageFileReader::readItem(MetaBox const&, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/nale/tifig-0.2.3/lib/heif/Srcs/reader/hevcimagefilereader.cpp:2016
    #14 0x559c6ad68a78 in HevcImageFileReader::loadItemData(MetaBox const&, unsigned int) const /home/nale/tifig-0.2.3/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1965
    #15 0x559c6ad68a78 in HevcImageFileReader::extractItems(MetaBox const&, unsigned int) const /home/nale/tifig-0.2.3/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1920
    #16 0x559c6ad75bd9 in HevcImageFileReader::readStream() /home/nale/tifig-0.2.3/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1124
    #17 0x559c6ad7fcc3 in HevcImageFileReader::initialize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/nale/tifig-0.2.3/lib/heif/Srcs/reader/hevcimagefilereader.cpp:65
    #18 0x559c6ab46b74 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/nale/tifig-0.2.3/src/main.cpp:49
    #19 0x559c6ab2d8f7 in main /home/nale/tifig-0.2.3/src/main.cpp:179
    #20 0x7f25264cc0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #21 0x559c6ab342cd in _start (/home/nale/tifig-0.2.3/build/tifig+0x5d2cd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbed81) 
==671204==ABORTING

GDB info:

image

Your repo uses old version of heif lib check out the differences here (current heif) and here(updated heif).

Environment: Host Operating System and version: Ubuntu 20.04.2 LTS Host CPU architecture: x86_64

Nalen98 avatar Mar 22 '21 15:03 Nalen98