CVE-2020-21428: FreeImage / Bugs / #299 heap-buffer-overflow in function LoadRGB of PluginDDS.cpp

• Summary
• Files
• Reviews
• Support
• Mailing Lists
• Code
• Tickets ▾
  • Feature Requests
  • Patches
  • Bugs
  • Support Requests
• News
• Discussion
• FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-04

Private: No

There is a heap-buffer-overflow in function LoadRGB of PluginDDS.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.
Asan log as below:

==32112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4103e04 at pc 0x08087ebd bp 0xffc70e68 sp 0xffc70a40 WRITE of size 91 at 0xf4103e04 thread T0 #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc) #1 0x883a341 in _ReadProc(void*, unsigned int, unsigned int, void*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19 #2 0x815b75a in LoadRGB(tagDDSURFACEDESC2 const*, FreeImageIO*, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:649:4 #3 0x815b75a in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9 #4 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #5 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #6 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8 #7 0xf71fcfb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16 #8 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5)

0xf4103e04 is located 0 bytes to the right of 1412-byte region [0xf4103880,0xf4103e04) allocated by thread T0 here: #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675) #1 0x812aa32 in FreeImage_Aligned_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19 #2 0x812aa32 in FreeImage_AllocateBitmap(int, unsigned char*, unsigned int, FREE_IMAGE_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26 #3 0x812b63f in FreeImage_Allocate /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:487:9 #4 0x815b159 in LoadRGB(tagDDSURFACEDESC2 const*, FreeImageIO*, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp #5 0x815b159 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9 #6 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #7 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #8 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8 #9 0xf71fcfb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/FreeImage/test+0x8087ebc) in fread Shadow bytes around the buggy address: 0x3e820770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e820780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e820790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8207a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8207b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e8207c0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8207d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8207e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8207f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e820800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e820810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==32112==ABORTING

1 Attachments

Discussion

Log in to post a comment.