Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-43289: A stack-buffer-overflow bug was discovered. · Issue #52 · jsummers/deark

Deark v.1.6.2 was discovered to contain a stack overflow via the do_prism_read_palette() function at /modules/atari-img.c.

CVE
Open in Source
#ubuntu#js#git#c++

Description

A stack-buffer-overflow bug was discovered in function do_prism_read_palette modules/atari-img.c:331

Version

Version v1.6.2 (Lastest commit)

Environment

Ubuntu 18.04, 64bit

Reproduce

Command

git clone the Lastest Version firstly.
make && make install
./deark -l -zip ./poc

POC file at the bottom of this report.

ASAN Report

Module: prismpaint
=================================================================
==20784==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6490a820 at pc 0x55eae0de20ff bp 0x7ffc6490a390 sp 0x7ffc6490a380
READ of size 4 at 0x7ffc6490a820 thread T0
    #0 0x55eae0de20fe in do_prism_read_palette modules/atari-img.c:331
    #1 0x55eae0de247e in de_run_prismpaint modules/atari-img.c:361
    #2 0x55eae0fd7023 in de_run_module src/deark-util.c:878
    #3 0x55eae0fd7023 in de_run_module src/deark-util.c:843
    #4 0x55eae1036a35 in de_run src/deark-user.c:452
    #5 0x55eae0dc39e9 in main2 src/deark-cmd.c:988
    #6 0x55eae0dc39e9 in main src/deark-cmd.c:1022
    #7 0x7fd587ac4082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55eae0dc652d in _start (/AFLplusplus/my_test/deark/backup/asan/deark-master/deark+0xf652d)

Address 0x7ffc6490a820 is located in stack of thread T0 at offset 1056 in frame
    #0 0x55eae0de1c7f in do_prism_read_palette modules/atari-img.c:304

  This frame has 2 object(s):
    [32, 1056) 'pal1' (line 308) <== Memory access at offset 1056 overflows this variable
    [1184, 1216) 'tmps' (line 310)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow modules/atari-img.c:331 in do_prism_read_palette
Shadow bytes around the buggy address:
  0x10000c9194b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c9194f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000c919500: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10000c919510: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00
  0x10000c919520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c919530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c919540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c919550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

POC

id_000027,sig_11,src_013544+002505,time_31840218,execs_68965869,op_splice,rep_16.zip

Any issue plz contact with me:
[email protected]
OR:
twitter: @Asteriska8

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE