CVE-2019-8383: AdvanceMAME / Bugs / #272 invalid memory address in adv_png_unfilter_8( )

• Summary
• Files
• Reviews
• Support
• Mailing Lists
• Tickets ▾
  • Patches
  • Feature Requests
  • Bugs
• Discussion
• Donate
• Git ▾
  • advancecd
  • makebootfat

Menu ▾ ▴

Status: closed-fixed

Owner: nobody

Priority: 5

Updated: 2019-05-09

Created: 2019-01-03

Private: No

What is the vulnerability -
During our research on advancecomp, we found invalid memory address in function adv_png_unfilter_8 ( ) at file png.c which is giving SIG_SEGV(segmentation fault).

Package - advancecomp
Version - 2.1
Tetsted environment - Ubuntu 16.04 Lts 32-bit.
Command - ./advpng -z -1 –f $POC

Vulnerable code -

for(i=0;i<height;++i) { unsigned char f = *p++; if (f == 0) { /* none */ p += width; }

Debug -

277 unsigned char f = *p++; [ Legend: Modified register | Code | Heap | Stack | String ] ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]──── $rax : 0x80661b7d
$rbx : 0x0
$rcx : 0x8000008d
$rdx : 0x80661b7e
$rsp : 0x7fffffffd7d0 → 0x00007fffffffd910 → 0x00007fffffffd9e0 → 0x00007fffffffda90 → 0x00007fffffffdb70 → 0x00007fffffffdc60 → 0x00007fffffffdce0 → 0x00007fffffffddb0 $rbp : 0x7fffffffd7d0 → 0x00007fffffffd910 → 0x00007fffffffd9e0 → 0x00007fffffffda90 → 0x00007fffffffdb70 → 0x00007fffffffdc60 → 0x00007fffffffdce0 → 0x00007fffffffddb0 $rsi : 0x78
$rdi : 0x8000008c
$rip : 0x40c5c7 → <adv_png_unfilter_8+41> movzx eax, BYTE PTR [rax] $r8 : 0x65ffa0 → 0x0000000000000000 $r9 : 0x1
$r10 : 0x8b8
$r11 : 0x7ffff6fca4f0 → <free+0> push r13 $r12 : 0x402fe0 → <_start+0> xor ebp, ebp $r13 : 0x7fffffffdee0 → 0x0000000000000005 $r14 : 0x0
$r15 : 0x0
$eflags: [CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification] $fs: 0x0000 $cs: 0x0033 $gs: 0x0000 $es: 0x0000 $ds: 0x0000 $ss: 0x002b
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]──── 0x00007fffffffd7d0│+0x00: 0x00007fffffffd910 → 0x00007fffffffd9e0 → 0x00007fffffffda90 → 0x00007fffffffdb70 → 0x00007fffffffdc60 → 0x00007fffffffdce0 → 0x00007fffffffddb0 ← $rsp, $rbp 0x00007fffffffd7d8│+0x08: 0x000000000040d8d0 → <adv_png_read_ihdr+2006> jmp 0x40db14 <adv_png_read_ihdr+2586> 0x00007fffffffd7e0│+0x10: 0xb7b6b5b4b3b2b1b0 0x00007fffffffd7e8│+0x18: 0x000000000065fe00 → 0x780000008c000080 0x00007fffffffd7f0│+0x20: 0x000000000065fc60 → 0x00007fff00000001 0x00007fffffffd7f8│+0x28: 0x00007fffffffda50 → 0x8000008d00000000 0x00007fffffffd800│+0x30: 0x00007fffffffda68 → 0x0000000000000000 0x00007fffffffd808│+0x38: 0x00007fffffffda4c → 0x000000000000007e ("~"?) ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]──── 0x40c5b7 <adv_png_unfilter_8+25> test BYTE PTR [rdx], 0x0 0x40c5ba <adv_png_unfilter_8+28> add BYTE PTR [rax-0x75], cl 0x40c5bd <adv_png_unfilter_8+31> rex.RB movabs al, ds:0xa055894801508d48 → 0x40c5c7 <adv_png_unfilter_8+41> movzx eax, BYTE PTR [rax] 0x40c5ca <adv_png_unfilter_8+44> mov BYTE PTR [rbp-0x41], al 0x40c5cd <adv_png_unfilter_8+47> cmp BYTE PTR [rbp-0x41], 0x0 0x40c5d1 <adv_png_unfilter_8+51> jne 0x40c5df <adv_png_unfilter_8+65> 0x40c5d3 <adv_png_unfilter_8+53> mov eax, DWORD PTR [rbp-0x54] 0x40c5d6 <adv_png_unfilter_8+56> add QWORD PTR [rbp-0x60], rax ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:lib/png.c+277 ]──── 272 void adv_png_unfilter_8(unsigned width, unsigned height, unsigned char* p, unsigned line) 273 { 274 unsigned i, j; 275
276 for(i=0;i<height;++i) { // f=0x0, p=0x00007fffffffd770 → 0x0000000080661b7e → 277 unsigned char f = *p++; 278
279 if (f == 0) { /* none */ 280 p += width; 281 } else if (f == 1) { /* sub */ 282 ++p; ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]──── [#0] Id 1, Name: "advpng", stopped, reason: SIGSEGV ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]──── [#0] 0x40c5c7 → Name: adv_png_unfilter_8(width=0x8000008c, height=0x78, p=0x80661b7e <error: Cannot access memory at address 0x80661b7e>, line=0x8000008d) [#1] 0x40d8d0 → Name: adv_png_read_ihdr(pix_width=0x7fffffffda44, pix_height=0x7fffffffda48, pix_pixel=0x7fffffffda40, dat_ptr=0x7fffffffda58, dat_size=0x7fffffffda3c, pix_ptr=0x7fffffffda70, pix_scanline=0x7fffffffda54, pal_ptr=0x7fffffffda60, pal_size=0x7fffffffda4c, rns_ptr=0x7fffffffda68, rns_size=0x7fffffffda50, f=0x65fc60, data=0x65fe00 “\200", data_size=0xd) [#2] 0x40dc94 → Name: adv_png_read_rns(pix_width=0x7fffffffda44, pix_height=0x7fffffffda48, pix_pixel=0x7fffffffda40, dat_ptr=0x7fffffffda58, dat_size=0x7fffffffda3c, pix_ptr=0x7fffffffda70, pix_scanline=0x7fffffffda54, pal_ptr=0x7fffffffda60, pal_size=0x7fffffffda4c, rns_ptr=0x7fffffffda68, rns_size=0x7fffffffda50, f=0x65fc60) [#3] 0x4037dd → Name: convert_f(f_in=0x65fc60, f_out=0x65fd30) [#4] 0x403a62 → Name: convert_inplace(path="$POC”) [#5] 0x404209 → Name: rezip_single(file="id:000000,sig:11,src:000000,op:flip1,pos:16", total_0=@0x7fffffffdc90, total_1=@0x7fffffffdc98) [#6] 0x4045a1 → Name: rezip_all(argc=0x1, argv=0x7fffffffdf08) [#7] 0x404df0 → Name: process(argc=0x5, argv=0x7fffffffdee8) [#8] 0x404fba → Name: main(argc=0x5, argv=0x7fffffffdee8)

The same can be reproduce with the reproducer attached

1 Attachments

Related

Bugs: #1
Bugs: #2
Bugs: #3
Bugs: #4
Bugs: #5
Bugs: #6
Bugs: #7
Bugs: #8

Discussion

Log in to post a comment.