agostino's blog

jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c)

Posted on October 16, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A fuzzing revelaled two NULL pointer access in bmp_getdata.

Since jasper seems to be dead for years, I first posted this bug on oss-security. Since few days I noticed that the development is alive on github, I posted the bug to the maintainer which comes with a fast response/fix.

The complete ASan output:

# imginfo -f $FILE
==26929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8fc7fd53b5 bp 0x7ffcdf755110 sp 0x7ffcdf754de0 T0)                              
    #0 0x7f8fc7fd53b4 in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5                                                               
    #1 0x7f8fc7fd53b4 in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190                                                                  
    #2 0x7f8fc7fa1a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16                                                      
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16                                                                                    
    #4 0x7f8fc70b961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                          
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)                                                                          

AddressSanitizer can not provide additional info.                                                                                                                
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:385:5 in bmp_getdata                                                     
==26929==ABORTING


# imginfo -f $FILE
==15555==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02a9c081ee bp 0x7ffd1e22e110 sp 0x7ffd1e22dde0 T0)
    #0 0x7f02a9c081ed in bmp_getdata /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5
    #1 0x7f02a9c081ed in bmp_decode /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:190
    #2 0x7f02a9bd4a9a in jas_image_decode /tmp/jasper-version-1.900.3/src/libjasper/base/jas_image.c:372:16
    #3 0x4f11bd in main /tmp/jasper-version-1.900.3/src/appl/imginfo.c:179:16
    #4 0x7f02a8cec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x418bc8 in _start (/tmp/jasper-version-1.900.3/src/appl/.libs/imginfo+0x418bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/jasper-version-1.900.3/src/libjasper/bmp/bmp_dec.c:383:5 in bmp_getdata
==15555==ABORTING

Affected version:
1.900.1, 1.900.3 and 1.900.4

Fixed version:
1.900.5

Commit fix:
https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8690

Timeline:
2016-08-15: bug discovered
2016-08-23: requested a feedback on oss-security
2016-10-13: bug reported to upstream
2016-10-16: upstream released a patch
2016-10-16: blog post about the issue
2016-10-16: CVE Assigned
2016-10-16: upstream released 1.900.5

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c)

Posted in advisories, security | Leave a comment

openssl: libcrypto: stack-based buffer overflow in ERR_error_string_n (err.c)

Posted on October 14, 2016 by ago

Description:
openSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

A fuzz of nginx, discovered a stack overflow that resides in libcrypto.

After looked into it with an nginx developer (Sergey Kandaurov), he said:

This is caused by OpenSSL disfunction in ERR_error_string_n() which happens
when the function is used with zero len argument and the string is not null
terminated. In nginx that’s possible when the string had been previously
truncated for some reason.

From ERR_error_string_n documentation:

void ERR_error_string_n(unsigned long e, char *buf, size_t len);

ERR_error_string_n() is a variant of ERR_error_string() that writes at
most len characters (including the terminating 0) and truncates the
string if necessary.

The problem is that ERR_error_string_n() doesn’t cope with zero len parameter.
It uses len-capped BIO_snprintf() to write error string safely, then it checks
buffer truncation for some useless things using strlen() in unsafe manner.
This is where the buffer is overread.

I don’t know if the bug is reachable in another way, but Matt Caswell from OpenSSL does not judge it as a security issue.

The complete ASan output:

# nginx -t -p "" -c $FILE
==24306==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe6cc74f50 at pc 0x00000046f20c bp 0x7ffe6cc749c0 sp 0x7ffe6cc74170
READ of size 7 at 0x7ffe6cc74f50 thread T0
    #0 0x46f20b in strlen /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:581
    #1 0x7fa541c4a5b4 in ERR_error_string_n /tmp/portage/dev-libs/openssl-1.0.2j/work/openssl-1.0.2j-abi_x86_64.amd64/crypto/err/err.c:888
    #2 0x57e70e in ngx_ssl_error /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/event/ngx_event_openssl.c:2061:9
    #3 0x57f253 in ngx_ssl_certificate /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/event/ngx_event_openssl.c:333:9
    #4 0x6791c8 in ngx_http_ssl_merge_srv_conf /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/http/modules/ngx_http_ssl_module.c:669:9
    #5 0x592f66 in ngx_http_merge_servers /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/http/ngx_http.c:582:18
    #6 0x592f66 in ngx_http_block /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/http/ngx_http.c:268
    #7 0x53b264 in ngx_conf_handler /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/core/ngx_conf_file.c:427:18
    #8 0x53b264 in ngx_conf_parse /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/core/ngx_conf_file.c:283
    #9 0x533b2a in ngx_init_cycle /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/core/ngx_cycle.c:274:9
    #10 0x4ff1cc in main /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/core/nginx.c:276:13
    #11 0x7fa540a6761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x425b18 in _start (/usr/sbin/nginx+0x425b18)

Address 0x7ffe6cc74f50 is located in stack of thread T0 at offset 1136 in frame
    #0 0x57e53f in ngx_ssl_error /tmp/portage/www-servers/nginx-1.10.1/work/nginx-1.10.1/src/event/ngx_event_openssl.c:2031

  This frame has 4 object(s):
    [32, 36) 'flags'
    [48, 72) 'args'
    [112, 1136) 'errstr' 0x10004d9869e0: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2
  0x10004d9869f0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f3 f3 f3 f3 f3
  0x10004d986a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004d986a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004d986a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004d986a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24306==ABORTING

Affected version:
1.0.2j and 1.1.0b

Fixed version:
1.1.0c and 1.0.2k (not yet released)

Commit fix:
https://github.com/openssl/openssl/commit/e5c1361580d8de79682958b04a5f0d262e680f8b

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-10-11: bug discovered
2016-10-12: bug reported to upstream
2016-10-14: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

openssl: libcrypto: stack-based buffer overflow in ERR_error_string_n (err.c)

Posted in advisories, security | Leave a comment

imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c)

Posted on October 7, 2016 by ago

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

A fuzzing with the upstream security policy enabled revealed a memory allocate failure.

The complete ASan output:

# identify $FILE
==25084==WARNING: AddressSanitizer failed to allocate 0x46bf39483ac bytes                                                                                                                                                                                                      
==25084==AddressSanitizer's allocator is terminating the process instead of returning 0                                                                                                                                                                                        
==25084==If you don't like this behavior set allocator_may_return_null=1                                                                                                                                                                                                       
==25084==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)                                                                            
    #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67                                                                                                                                   
    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159                              
    #2 0x4ce826 in __sanitizer::ReportAllocatorCannotReturnNull() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147                                                                            
    #3 0x421bfc in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1317                                                                                                                                                                                                   
    #4 0x421bfc in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:359                       
    #5 0x421bfc in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718                                                                       
    #6 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53                                                                                                                                   
    #7 0x7f76c7533ff4 in AcquireQuantumPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/quantum.c:175:47                                                                                                                                  
    #8 0x7f76c7533ff4 in SetQuantumDepth /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/quantum.c:693                                                                                                                                          
    #9 0x7f76c7532676 in AcquireQuantumInfo /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/quantum.c:125:10                                                                                                                                    
    #10 0x7f76baf3607e in ReadTIFFImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/tiff.c:1431:18                                                                                                                                              
    #11 0x7f76c7067b12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
    #12 0x7f76c77ff406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
    #13 0x7f76c70665ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
    #14 0x7f76c7066e25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
    #15 0x7f76c68ec4c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
    #16 0x7f76c698226a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #17 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #18 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #19 0x7f76c582661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #20 0x419138 in _init (/usr/bin/magick+0x419138)

Affected version:
7.0.3.0

Fixed version:
7.0.3.1

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8677

Timeline:
2016-09-14: bug discovered
2016-09-14: bug reported to upstream
2016-09-16: upstream released a patch
2016-09-21: upstream released 7.0.3.1
2016-10-07: blog post about the issue
2016-10-16: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c)

Posted in advisories, security | Leave a comment

imagemagick: heap-based buffer overflow in IsPixelMonochrome (pixel-accessor.h)

Posted on October 7, 2016 by ago

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

A fuzzing with the upstream security policy enabled revealed a buffer overflow read.

The complete ASan output:

# identify $FILE
==13198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000fbc0 at pc 0x7f7a28f71a91 bp 0x7fff6820aaa0 sp 0x7fff6820aa98                                                                                                                                      
READ of size 10 at 0x61400000fbc0 thread T0                                                                                                                                                                                                                                    
    #0 0x7f7a28f71a90 in IsPixelMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/./MagickCore/pixel-accessor.h:557:24                                                                                                                            
    #1 0x7f7a28f71a90 in IdentifyImageMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:758                                                                                                                                
    #2 0x7f7a28f71dc6 in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:819:7                                                                                                                                    
    #3 0x7f7a293216ce in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/identify.c:524:8                                                                                                                                         
    #4 0x7f7a28924f86 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:336:22                                                                                                                                 
    #5 0x7f7a289ba26a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14                                                                                                                                  
    #6 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10                                                                                                                                                    
    #7 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176                                                                                                                                                             
    #8 0x7f7a2785e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #9 0x419138 in _init (/usr/bin/magick+0x419138)                                                                                                                                                                                                                            

0x61400000fbc0 is located 0 bytes to the right of 384-byte region [0x61400000fa40,0x61400000fbc0)                                                                                                                                                                              
allocated by thread T0 here:                                                                                                                                                                                                                                                   
    #0 0x4c1105 in __interceptor_posix_memalign /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124                                                                                                            
    #1 0x7f7a293cac65 in AcquireAlignedMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:258:7
    #2 0x7f7a28fb8e9d in AcquireCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:4634:33
    #3 0x7f7a28fb8e9d in SetPixelCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:4746
    #4 0x7f7a28fa9f9e in GetVirtualPixelsFromNexus /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:2629:10
    #5 0x7f7a28fd2a5e in GetCacheViewVirtualPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache-view.c:664:10
    #6 0x7f7a28f70e46 in IdentifyImageMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:753:7
    #7 0x7f7a28f71dc6 in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:819:7
    #8 0x7f7a293216ce in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/identify.c:524:8
    #9 0x7f7a28924f86 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:336:22
    #10 0x7f7a289ba26a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #11 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #12 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #13 0x7f7a2785e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/./MagickCore/pixel-accessor.h:557:24 in IsPixelMonochrome
Shadow bytes around the buggy address:
  0x0c287fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9f70: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c287fff9f80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13198==ABORTING

Affected version:
Tested on 7.0.3.0 but 7.0.3.1/7.0.3.2 did not include any fix

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8678

Timeline:
2016-09-14: bug discovered
2016-09-14: bug reported to upstream
2016-10-07: blog post about the issue
2016-10-16: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: heap-based buffer overflow in IsPixelMonochrome (pixel-accessor.h)

Posted in advisories, security | Leave a comment

libdwarf: heap-based buffer overflow in _dwarf_get_size_of_val (dwarf_util.c)

Posted on October 6, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzzing revealed an out bounds read,

The complete ASan output:

# dwarfdump $FILE
==22886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000de1c at pc 0x000000462c7c bp 0x7ffe80a3d230 sp 0x7ffe80a3c9e0
READ of size 1 at 0x61300000de1c thread T0
    #0 0x462c7b in __interceptor_strlen /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:581
    #1 0x60489f in _dwarf_get_size_of_val /tmp/dwarf-20161001/libdwarf/dwarf_util.c:267:21
    #2 0x5f2834 in dwarf_attrlist /tmp/dwarf-20161001/libdwarf/dwarf_query.c:389:27
    #3 0x519ed5 in print_one_die /tmp/dwarf-20161001/dwarfdump/print_die.c:1409:13
    #4 0x51710c in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1047:36
    #5 0x517c6b in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1142:13
    #6 0x5147cc in print_die_and_children /tmp/dwarf-20161001/dwarfdump/print_die.c:921:5
    #7 0x5147cc in print_one_die_section /tmp/dwarf-20161001/dwarfdump/print_die.c:831
    #8 0x512262 in print_infos /tmp/dwarf-20161001/dwarfdump/print_die.c:371:16
    #9 0x4faaea in process_one_file /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9
    #10 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654
    #11 0x7f7cd096261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

0x61300000de1c is located 0 bytes to the right of 348-byte region [0x61300000dcc0,0x61300000de1c)
allocated by thread T0 here:
    #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f7cd1a3c206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c267fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9b80: 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa fa
  0x0c267fff9b90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c267fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bc0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22886==ABORTING

Affected version:
20161001 and past

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/2d14a7792889e33bc542c28d0f3792964c46214f/#diff-13 and then https://sourceforge.net/p/libdwarf/code/ci/efe48cad0693d6994d9a7b561e1c3833b073a624/#diff-2 (because of a mistake)

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8679

Timeline:
2016-10-04: bug discovered
2016-10-04: bug reported privately to upstream
2016-10-04: upstream realeased a patch
2016-10-06: blog post about the issue
2016-10-16: CVE Assigned
2016-11-24: upstream released 20161124

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: heap-based buffer overflow in _dwarf_get_size_of_val (dwarf_util.c)

Posted in advisories, security | Leave a comment

libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c)

Posted on October 6, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzzing revealed an out bounds read,

The complete ASan output:

# dwarfdump $FILE
==24449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000059ed at pc 0x000000606cd5 bp 0x7fff42bdc5f0 sp 0x7fff42bdc5e8
READ of size 1 at 0x6110000059ed thread T0
    #0 0x606cd4 in _dwarf_get_abbrev_for_code /tmp/dwarf-20161001/libdwarf/dwarf_util.c:590:9
    #1 0x576086 in dwarf_siblingof_b /tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:1628:12
    #2 0x517e73 in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1163:17
    #3 0x517c6b in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1142:13
    #4 0x5147cc in print_die_and_children /tmp/dwarf-20161001/dwarfdump/print_die.c:921:5
    #5 0x5147cc in print_one_die_section /tmp/dwarf-20161001/dwarfdump/print_die.c:831
    #6 0x512262 in print_infos /tmp/dwarf-20161001/dwarfdump/print_die.c:371:16
    #7 0x4faaea in process_one_file /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9
    #8 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654
    #9 0x7fa649d7e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

0x6110000059ed is located 0 bytes to the right of 237-byte region [0x611000005900,0x6110000059ed)
allocated by thread T0 here:
    #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7fa64ae58206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dwarf-20161001/libdwarf/dwarf_util.c:590:9 in _dwarf_get_abbrev_for_code
Shadow bytes around the buggy address:
  0x0c227fff8ae0: 00 00 00 00 00 00 00 00 06 fa fa fa fa fa fa fa
  0x0c227fff8af0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff8b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8b10: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8b30: 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa fa
  0x0c227fff8b40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8b60: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8b80: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24449==ABORTING

Affected version:
20161001 and past

Fixed version:
20161124

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8681

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c)

Posted in advisories, security | Leave a comment

libav: invalid memory access in ff_put_pixels8_mmx (fpel_mmx.c)

Posted on October 4, 2016 by ago

Description:
Libav is an open source set of tools for audio and video processing.

A fuzzing with an mp3 file as input discovered an invalid memory access in ff_put_pixels8_mmx.

The complete ASan output:

# avconv -i $FILE -f null -
avconv version 11.7, Copyright (c) 2000-2016 the Libav developers
  built on Aug 16 2016 15:34:42 with clang version 3.8.1 (tags/RELEASE_381/final)
[h263 @ 0x61a00001f280] Format detected only with low score of 25, misdetection possible!
[h263 @ 0x619000000580] warning: first frame is no keyframe
[h263 @ 0x619000000580] cbpc damaged at 2 0
[h263 @ 0x619000000580] Error at MB: 2
[h263 @ 0x619000000580] illegal ac vlc code at 3x40
[h263 @ 0x619000000580] Error at MB: 3563
[h263 @ 0x619000000580] concealing 6336 DC, 6336 AC, 6336 MV errors
[h263 @ 0x61a00001f280] Estimating duration from bitrate, this may be inaccurate
Input #0, h263, from '82.crashes':
  Duration: N/A, bitrate: N/A
    Stream #0.0: Video: h263, yuv420p, 1408x1152 [PAR 12:11 DAR 4:3], 25 fps, 25 tbn, 29.97 tbc
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf56.1.0
    Stream #0.0: Video: rawvideo, yuv420p, 1408x1152 [PAR 12:11 DAR 4:3], q=2-31, 200 kb/s, 25 tbn, 25 tbc
    Metadata:
      encoder         : Lavc56.1.0 rawvideo
Stream mapping:
  Stream #0:0 -> #0:0 (h263 (native) -> rawvideo (native))
Press ctrl-c to stop encoding
[h263 @ 0x61900001e580] warning: first frame is no keyframe
[h263 @ 0x61900001e580] cbpc damaged at 2 0
[h263 @ 0x61900001e580] Error at MB: 2
[h263 @ 0x61900001e580] illegal ac vlc code at 3x40
[h263 @ 0x61900001e580] Error at MB: 3563
[h263 @ 0x61900001e580] concealing 6336 DC, 6336 AC, 6336 MV errors
[h263 @ 0x61900001e580] Error at MB: 0
[h263 @ 0x61900001e580] concealing 6336 DC, 6336 AC, 6336 MV errors
[h263 @ 0x61900001e580] cbpc damaged at 0 0
[h263 @ 0x61900001e580] Error at MB: 0
[h263 @ 0x61900001e580] concealing 6336 DC, 6336 AC, 6336 MV errors
[h263 @ 0x61900001e580] illegal ac vlc code at 0x0
[h263 @ 0x61900001e580] Error at MB: 0
[h263 @ 0x61900001e580] concealing 99 DC, 99 AC, 99 MV errors
Input stream #0:0 frame changed from size:1408x1152 fmt:yuv420p to size:176x144 fmt:yuv420p
[h263 @ 0x61900001e580] Bad marker
[h263 @ 0x61900001e580] header damaged
Error while decoding stream #0:0
ASAN:DEADLYSIGNAL
=================================================================
==29430==ERROR: AddressSanitizer: SEGV on unknown address 0x62bfffffffd0 (pc 0x7f3a2a642150 bp 0x7ffcbfdb8af0 sp 0x7ffcbfdb8a80 T0)
    #0 0x7f3a2a64214f in ff_put_pixels8_mmx /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/x86/fpel_mmx.c:81:5
    #1 0x7f3a297c0de0 in hpel_motion /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:224:5
    #2 0x7f3a297c0de0 in apply_8x8 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:798
    #3 0x7f3a297c0de0 in mpv_motion_internal /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:877
    #4 0x7f3a297c0de0 in ff_mpv_motion /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo_motion.c:981
    #5 0x7f3a296ed59b in mpv_decode_mb_internal /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2223:21
    #6 0x7f3a296ed59b in ff_mpv_decode_mb /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/mpegvideo.c:2358
    #7 0x7f3a285ffc95 in decode_slice /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:273:13
    #8 0x7f3a285fb2cd in ff_h263_decode_frame /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/h263dec.c:575:11
    #9 0x7f3a29f86906 in avcodec_decode_video2 /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/utils.c:1600:19
    #10 0x5647eb in decode_video /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:1259:11
    #11 0x5647eb in process_input_packet /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:1398
    #12 0x550e63 in process_input /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2440:11
    #13 0x550e63 in transcode /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2488
    #14 0x550e63 in main /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/avconv.c:2647
    #15 0x7f3a2631b61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #16 0x41d098 in _init (/usr/bin/avconv+0x41d098)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-video/libav-11.7/work/libav-11.7/libavcodec/x86/fpel_mmx.c:81:5 in ff_put_pixels8_mmx
==29430==ABORTING

Affected version:
11.7

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-15: bug discovered
2016-08-16: bug reported to upstream
2016-10-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
Since at 20161008 there wasn’t an upstream response, after an investigation it looks like an invalid memory access instead of a NULL pointer, so I’m changing a bit the description, but I’m keeping the permalink as-is.

Permalink:

libav: invalid memory access in ff_put_pixels8_mmx (fpel_mmx.c)

Posted in advisories, security | Leave a comment

libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c)

Posted on October 4, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzzing revealed an out bounds read,

The complete ASan output:

# dwarfdump $FILE
==30323==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000005a00 at pc 0x000000606e87 bp 0x7ffe35e5e5b0 sp 0x7ffe35e5e5a8
READ of size 1 at 0x611000005a00 thread T0
    #0 0x606e86 in _dwarf_get_abbrev_for_code /tmp/dwarf-20161001/libdwarf/dwarf_util.c:624:43
    #1 0x576086 in dwarf_siblingof_b /tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:1628:12
    #2 0x517e73 in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1163:17
    #3 0x517c6b in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1142:13
    #4 0x5147cc in print_die_and_children /tmp/dwarf-20161001/dwarfdump/print_die.c:921:5
    #5 0x5147cc in print_one_die_section /tmp/dwarf-20161001/dwarfdump/print_die.c:831
    #6 0x512262 in print_infos /tmp/dwarf-20161001/dwarfdump/print_die.c:371:16
    #7 0x4faaea in process_one_file /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9
    #8 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654
    #9 0x7f5912c2361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

0x611000005a00 is located 0 bytes to the right of 256-byte region [0x611000005900,0x611000005a00)
allocated by thread T0 here:
    #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f5913cfd206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dwarf-20161001/libdwarf/dwarf_util.c:624:43 in _dwarf_get_abbrev_for_code
Shadow bytes around the buggy address:
  0x0c227fff8af0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff8b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8b10: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8b40:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8b60: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8b80: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c227fff8b90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30323==ABORTING

Affected version:
20161001 and past

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/268c1f18d1d28612af3b72d7c670076b1b88e51c/tree/libdwarf/dwarf_util.c?diff=0b28b923c3bd9827d1d904feed2abadde4fa5de2

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8680

Timeline:
2016-10-03: bug discovered
2016-10-03: bug reported privately to upstream
2016-10-03: upstream released a patch
2016-10-04: blog post about the issue
2016-10-16: CVE Assigned
2016-11-24: upstream released 20161124

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c)

Posted in advisories, security | Leave a comment

libdwarf: tag_tree_build and tag_attr_build: signed shift

Posted on October 2, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

The following issue came out during the build with the undefined behavior sanitizer.

The complete UBsan output:

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:../libdwarf ./tag_tree_build -s  -i tmp-tag-
tree-build1.tmp  -o tmp-tt-table.c 
tag_tree.c:350:60: runtime error: left shift of 1 by 31 places cannot be 
represented in type 'int'

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:../libdwarf ./tag_attr_build -s -i tmp-tag-
attr-build2.tmp -o tmp-ta-table.c 
tag_attr.c:386:60: runtime error: left shift of 1 by 31 places cannot be 
represented in type 'int'

Affected version:
20160929 and past

Fixed version:
20161001

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/cdd1b6d98c2c13c92bbe3556130ab00daf663a6c/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-09-30: bug discovered
2016-09-30: bug reported privately to upstream
2016-09-30: upstream realeased a patch
2016-10-01: upstream released version 20161001
2016-10-02: blog post about the issue

Note:
This bug was found with the undefined behavior sanitizer.

Permalink:

libdwarf: tag_tree_build and tag_attr_build: signed shift

Posted in advisories, security | Leave a comment

mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c)

Posted on September 25, 2016 by ago

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A fuzzing revealed a strcpy-param-overlap.

The complete ASan output:

# mujstest $FILE
==26843==ERROR: AddressSanitizer: strcpy-param-overlap: memory ranges [0x0000013c5d40,0x0000013c62ed) and [0x0000013c6285, 0x0000013c6832) overlap
    #0 0x473129 in __interceptor_strcpy /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:545
    #1 0x4f7910 in main /var/tmp/portage/app-text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:353:6
    #2 0x7f8af37a961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8)

0x0000013c6140 is located 0 bytes to the right of global variable 'filename' defined in 'platform/x11/jstest_main.c:15:13' (0x13c5d40) of size 1024
0x0000013c6285 is located 5 bytes inside of global variable 'getline_buffer' defined in 'platform/x11/jstest_main.c:24:13' (0x13c6280) of size 4096
SUMMARY: AddressSanitizer: strcpy-param-overlap /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:545 in __interceptor_strcpy
==26843==ABORTING

Affected version:
1.9a

Fixed version:
1.10 (not yet released)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=cfe8f35bca61056363368c343be36812abde0a06

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-09-22: upstream released a patch
2016-09-25: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c)

Posted in advisories, security | Leave a comment

jasper: two NULL pointer dereference in bmp_getdata (bmp_dec.c)

openssl: libcrypto: stack-based buffer overflow in ERR_error_string_n (err.c)

imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c)

imagemagick: heap-based buffer overflow in IsPixelMonochrome (pixel-accessor.h)

libdwarf: heap-based buffer overflow in _dwarf_get_size_of_val (dwarf_util.c)

libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c)

libav: invalid memory access in ff_put_pixels8_mmx (fpel_mmx.c)

libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c)

libdwarf: tag_tree_build and tag_attr_build: signed shift

mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c)

Recent Posts

Recent Comments

Archives

Categories

Meta