Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36183: [BUG] Heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp · Issue #3871 · OpenImageIO/oiio

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

CVE
Open in Source
#vulnerability#linux#git#c++#buffer_overflow

Describe the bug:
Hi, I found heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp

To Reproduce:
Steps to reproduce the behavior:

  1. CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake … -DCMAKE_CXX_STANDARD=17
  2. make && make install
  3. iconvert poc /tmp/res

poc file:
poc1.zip

Evidence:
==617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a602 at pc 0x7f30d95a9823 bp 0x7ffc9cd71f10 sp 0x7ffc9cd71f08
READ of size 1 at 0x60200000a602 thread T0
#0 0x7f30d95a9822 in OpenImageIO_v2_4::ICOInput::readimg() /root/github/oiio-2.4.11.0_1/src/ico.imageio/icoinput.cpp:326:36
#1 0x7f30d95aa6c2 in OpenImageIO_v2_4::ICOInput::read_native_scanline(int, int, int, int, void*) /root/github/oiio-2.4.11.0_1/src/ico.imageio/icoinput.cpp:429:14
#2 0x7f30d90fd4e0 in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, void*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:399:19
#3 0x7f30d90fd9c2 in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, int, int, void*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:420:16
#4 0x7f30d90fad9e in OpenImageIO_v2_4::ImageInput::read_scanlines(int, int, int, int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:336:15
#5 0x7f30d9109c51 in OpenImageIO_v2_4::ImageInput::read_image(int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long, long, bool ()(void, float), void*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:967:23
#6 0x7f30d9197dd7 in OpenImageIO_v2_4::ImageOutput::copy_image(OpenImageIO_v2_4::ImageInput*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageoutput.cpp:588:19
#7 0x5620dac9426c in convert_file(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /root/github/oiio-2.4.11.0_1/src/iconvert/iconvert.cpp:449:27
#8 0x5620dac99221 in main /root/github/oiio-2.4.11.0_1/src/iconvert/iconvert.cpp:523:14
#9 0x7f30d6b32d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#10 0x7f30d6b32e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#11 0x5620dabd1054 in _start (/root/github/oiio-2.4.11.0_1/dist/bin/iconvert+0x28054) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)

0x60200000a602 is located 10 bytes to the right of 8-byte region [0x60200000a5f0,0x60200000a5f8)
allocated by thread T0 here:
#0 0x5620dac8ec6d in operator new(unsigned long) (/root/github/oiio-2.4.11.0_1/dist/bin/iconvert+0xe5c6d) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)
#1 0x7f30d95a7924 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/11/…/…/…/…/include/c++/11/ext/new_allocator.h:127:27
#2 0x7f30d95a7924 in std::allocator_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/…/…/…/…/include/c++/11/bits/alloc_traits.h:464:20
#3 0x7f30d95a7924 in std::_Vector_base<unsigned char, std::allocator >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/…/…/…/…/include/c++/11/bits/stl_vector.h:346:20
#4 0x7f30d95a7924 in std::_Vector_base<unsigned char, std::allocator >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/…/…/…/…/include/c++/11/bits/stl_vector.h:361:33
#5 0x7f30d95a7924 in std::_Vector_base<unsigned char, std::allocator >::_Vector_base(unsigned long, std::allocator const&) /usr/lib/gcc/x86_64-linux-gnu/11/…/…/…/…/include/c++/11/bits/stl_vector.h:305:9
#6 0x7f30d95a7924 in std::vector<unsigned char, std::allocator >::vector(unsigned long, std::allocator const&) /usr/lib/gcc/x86_64-linux-gnu/11/…/…/…/…/include/c++/11/bits/stl_vector.h:511:9
#7 0x7f30d95a7924 in OpenImageIO_v2_4::ICOInput::readimg() /root/github/oiio-2.4.11.0_1/src/ico.imageio/icoinput.cpp:308:32
#8 0x7f30d95aa6c2 in OpenImageIO_v2_4::ICOInput::read_native_scanline(int, int, int, int, void*) /root/github/oiio-2.4.11.0_1/src/ico.imageio/icoinput.cpp:429:14
#9 0x7f30d90fd4e0 in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, void*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:399:19
#10 0x7f30d90fd9c2 in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, int, int, void*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:420:16
#11 0x7f30d90fad9e in OpenImageIO_v2_4::ImageInput::read_scanlines(int, int, int, int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:336:15
#12 0x7f30d9109c51 in OpenImageIO_v2_4::ImageInput::read_image(int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long, long, bool ()(void, float), void*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageinput.cpp:967:23
#13 0x7f30d9197dd7 in OpenImageIO_v2_4::ImageOutput::copy_image(OpenImageIO_v2_4::ImageInput*) /root/github/oiio-2.4.11.0_1/src/libOpenImageIO/imageoutput.cpp:588:19
#14 0x5620dac9426c in convert_file(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /root/github/oiio-2.4.11.0_1/src/iconvert/iconvert.cpp:449:27
#15 0x5620dac99221 in main /root/github/oiio-2.4.11.0_1/src/iconvert/iconvert.cpp:523:14
#16 0x7f30d6b32d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/github/oiio-2.4.11.0_1/src/ico.imageio/icoinput.cpp:326:36 in OpenImageIO_v2_4::ICOInput::readimg()
Shadow bytes around the buggy address:
0x0c047fff9470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9480: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9490: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 00 07
0x0c047fff94a0: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff94b0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 fa
=>0x0c047fff94c0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==617==ABORTING

Platform information:
OIIO branch/version: 2.4.12
OS: Linux
C++ compiler: clang-14.0.6

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE