Heap-buffer-overflow exists in the DecompressPiz

Question

Heap-buffer-overflow exists in the DecompressPiz

0xdd96 opened this issue 2 years ago · comments

0xdd96 commented 2 years ago

Describe the issue
There is a heap-based buffer overflow in DecompressPiz in the latest commit.

To Reproduce

Environment

OS: Ubuntu 16.04.7 LTS
Compiler: gcc version 5.4.0

version: latest commit 22be731

poc: poc

Steps to reproduce the behavior:

Compile TinyEXR with Address Sanitizer

CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release ..

run ./test_tinyexr ./poc

Here is the trace reported by ASAN:

# ./test_tinyexr poc
=================================================================
==380==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006338 at pc 0x7ffff6ef6935 bp 0x7fffffffcb50 sp 0x7fffffffc2f8
READ of size 6941 at 0x619000006338 thread T0
    #0 0x7ffff6ef6934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x4125f5 in DecompressPiz tinyexr-22be731/tinyexr.h:3172
    #2 0x4132a7 in DecodePixelData tinyexr-22be731/tinyexr.h:3523
    #3 0x41e188 in DecodeChunk tinyexr-22be731/tinyexr.h:5191
    #4 0x42215b in DecodeEXRImage tinyexr-22be731/tinyexr.h:5791
    #5 0x4280d9 in LoadEXRImageFromMemory tinyexr-22be731/tinyexr.h:6497
    #6 0x427cd9 in LoadEXRImageFromFile tinyexr-22be731/tinyexr.h:6474
    #7 0x4237d5 in LoadEXRWithLayer tinyexr-22be731/tinyexr.h:5969
    #8 0x423323 in LoadEXR tinyexr-22be731/tinyexr.h:5917
    #9 0x437c2c in test_main tinyexr-22be731/test_tinyexr.cc:223
    #10 0x4379d3 in main tinyexr-22be731/test_tinyexr.cc:194
    #11 0x7ffff652883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #12 0x4075e8 in _start (tinyexr-22be731/build/test_tinyexr+0x4075e8)

0x619000006338 is located 0 bytes to the right of 952-byte region [0x619000005f80,0x619000006338)
allocated by thread T0 here:
    #0 0x7ffff6f03532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x44ffd4 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x44d520 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
    #3 0x444753 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    #4 0x446a7a in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
    #5 0x43df4e in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:136
    #6 0x439915 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:278
    #7 0x427c0d in LoadEXRImageFromFile tinyexr-22be731/tinyexr.h:6464
    #8 0x4237d5 in LoadEXRWithLayer tinyexr-22be731/tinyexr.h:5969
    #9 0x423323 in LoadEXR tinyexr-22be731/tinyexr.h:5917
    #10 0x437c2c in test_main tinyexr-22be731/test_tinyexr.cc:223
    #11 0x4379d3 in main tinyexr-22be731/test_tinyexr.cc:194
    #12 0x7ffff652883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c327fff8c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8c60: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c327fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==380==ABORTING

Syoyo Fujita · Answer 1 · Tue Nov 01 2022 18:18:22 GMT+0800 (China Standard Time)

Can reproduce in my side. Marked.

Syoyo Fujita · Answer 2 · Tue Nov 01 2022 18:27:04 GMT+0800 (China Standard Time)

PR for the fix is much appreciated though.