Headline

CVE-2021-44335: heap-buffer-overflow in function ok_png_transform_scanline() at ok_png.c:533:20 · Issue #17 · brackeen/ok-file-formats

David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. When the function of the ok-file-formats project is used, a heap-buffer-overflow occurs in function ok_png_transform_scanline() in "/ok_png.c:533".

2 years ago

CVE

Open in Source

#ubuntu #linux

Version

203defd

Environment

Ubuntu 18.04，64 bit

Testcase

#include <stdio.h> #include <stdlib.h> #include “ok_png.c” #include “ok_png.h”

int main(int _argc, char **_argv) { FILE *file = fopen(_argv[1], “rb”); ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA ); fclose(file); if (image.data) { printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height); free(image.data); } return 0; }

Command

Compile test program:

$ gcc -g -o main main.c ok_png.h

Compile test program with address sanitizer with this command:

$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h

Result

The result of running without ASAN:

$ ./main heap-buffer-overflow-5.png
free(): invalid pointer
Aborted (core dumped)

Information obtained by using ASAN:

$ ./asanpng heap-buffer-overflow-5.png
=================================================================
==14406==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004e363f bp 0x7ffdc4189f10 sp 0x7ffdc4189f08
WRITE of size 1 at 0x621000002500 thread T0
    #0 0x4e363e in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:533:20
    #1 0x4e363e in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
    #2 0x4e363e in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
    #3 0x4e363e in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
    #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
    #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
    #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
    #7 0x7f574c1aa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)

0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
    #0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
    #1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
    #2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
    #3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
    #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
    #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
    #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
    #7 0x7f574c1aa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:533:20 in ok_png_transform_scanline
Shadow bytes around the buggy address:
  0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==14406==ABORTING

Description

A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in function ok_png_transform_scanline() at ok_png.c:533:20.

Poc

Poc file is this.