CVE-2020-23909: AdvanceMAME / Bugs / #285 A heap overflow in pngex.cc:433:4

• Summary
• Files
• Reviews
• Support
• Mailing Lists
• Tickets ▾
  • Patches
  • Feature Requests
  • Bugs
• Discussion
• Donate
• Git ▾
  • advancecd
  • makebootfat

Menu ▾ ▴

Status: open

Owner: nobody

Priority: 5

Updated: 2020-08-06

Created: 2020-08-06

Private: No

System info

Ubuntu x86_64, clang 6.0, advmng (latest master fcf71a)

Command line

./advmng -c -q -e -r -x @@

AddressSanitizer output

================================================================= ==46247==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000075 at pc 0x0000004dff5d bp 0x7ffd0b37a770 sp 0x7ffd0b379f20 READ of size 260 at 0x602000000075 thread T0 #0 0x4dff5c in __asan_memcpy /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23 #1 0x543a90 in png_convert_4(unsigned int, unsigned int, unsigned int, unsigned char*, unsigned int, unsigned char*, unsigned int, unsigned char**, unsigned int*, unsigned int*) /home/seviezhou/advancecomp/pngex.cc:433:4 #2 0x52a28f in extract(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/seviezhou/advancecomp/remng.cc:766:4 #3 0x53208b in extract_all(int, char**) /home/seviezhou/advancecomp/remng.cc:1011:3 #4 0x5356f4 in process(int, char**) /home/seviezhou/advancecomp/remng.cc:1255:3 #5 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3 #6 0x7f7d77b5e83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/…/csu/libc-start.c:291 #7 0x41cec8 in _start (/home/seviezhou/advancecomp/advmng+0x41cec8)

0x602000000075 is located 0 bytes to the right of 5-byte region [0x602000000070,0x602000000075) allocated by thread T0 here: #0 0x4e10d8 in __interceptor_malloc /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x5715be in mng_read_ihdr /home/seviezhou/advancecomp/lib/mng.c:139:18 #2 0x5715be in mng_read /home/seviezhou/advancecomp/lib/mng.c:650 #3 0x56dfa2 in adv_mng_read /home/seviezhou/advancecomp/lib/mng.c:748:9 #4 0x53208b in extract_all(int, char**) /home/seviezhou/advancecomp/remng.cc:1011:3 #5 0x5356f4 in process(int, char**) /home/seviezhou/advancecomp/remng.cc:1255:3 #6 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3 #7 0x7f7d77b5e83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/…/csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23 in __asan_memcpy Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa fd fa fa fa fd fa fa fa fd fd fa fa[05]fa 0x0c047fff8010: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==46247==ABORTING

1 Attachments

Discussion

Log in to post a comment.