We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
Our fuzzer found a stack buffer overflow on the function build_huffman (the latest commit 5ff4d86 on master).
PoC: https://github.com/strongcourage/PoCs/blob/master/astc-encoder_5ff4d86/PoC_sbo_build_huffman
ASAN says:
astcenc -c $PoC /dev/null 6x6 -medium Encoding settings: 2D Block size: 6x6 (3.56 bpp) 3D Block size: 6x6x1 (3.56 bpp) Radius for mean-and-stdev calculations: 0 texels RGB power: 1 RGB base-weight: 1 RGB local-mean weight: 0 RGB local-stdev weight: 0 RGB mean-and-stdev mixing across color channels: 0 Alpha power: 1 Alpha base-weight: 1 Alpha local-mean weight: 0 Alpha local-stdev weight: 0 RGB weights scale with alpha: disabled Color channel relative weighting: R=1 G=1 B=1 A=1 Block-artifact suppression parameter : 0 Number of distinct partitionings to test: 25 (preset) PSNR decibel limit: 2D: 40.529411 3D: 40.529411 (preset) 1->2 partition limit: 1.200000 Dual-plane color-correlation cutoff: 0.750000 (preset) Block Mode Percentile Cutoff: 75.000000 (preset) Max refinement iterations: 2 (preset) Thread count : 8 (autodetected) ================================================================= ==15504==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff00ef8040 at pc 0x0000004ae78a bp 0x7fff00ef43b0 sp 0x7fff00ef43a0 WRITE of size 1 at 0x7fff00ef8040 thread T0 #0 0x4ae789 in build_huffman /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1009 #1 0x4b9af3 in process_marker /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1478 #2 0x4ba85d in decode_jpeg_header /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1609 #3 0x4c2440 in decode_jpeg_header /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1605 #4 0x4c2440 in decode_jpeg_image /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1625 #5 0x4c2440 in load_jpeg_image /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1816 #6 0x4c2440 in stbi_jpeg_load /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1912 #7 0x4d55be in stbi_load_main /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:536 #8 0x4dc009 in stbi_load_from_file /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:571 #9 0x4dc009 in stbi_load /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:562 #10 0x4877b9 in load_image_with_stb(char const*, int, int*) /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_stb_tga.cpp:66 #11 0x46bff0 in astc_codec_load_image(char const*, int, int*) /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_image_load_store.cpp:1328 #12 0x49a3dd in astc_main(int, char**) /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_toplevel.cpp:2329 #13 0x7fe73da5082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x402738 in _start (/home/dungnguyen/PoCs/astc-encoder_5ff4d86/astcenc-asan+0x402738) Address 0x7fff00ef8040 is located in stack of thread T0 at offset 14704 in frame #0 0x4c1bbf in stbi_jpeg_load /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1909 This frame has 5 object(s): [32, 64) 'coutput' [96, 224) 'data' [256, 384) 'data' [416, 608) 'res_comp' [640, 14704) 'j' <== Memory access at offset 14704 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/dungnguyen/gueb-testing/astc-encoder/Source/stb_image.c:1009 build_huffman Shadow bytes around the buggy address: 0x1000601d6fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000601d6fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000601d6fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000601d6fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000601d6ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000601d7000: 00 00 00 00 00 00 00 00[f4]f4 f3 f3 f3 f3 00 00 0x1000601d7010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000601d7020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000601d7030: f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 00 00 00 06 0x1000601d7040: f2 f2 f2 f2 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 0x1000601d7050: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==15504==ABORTING
Thanks, Manh Dung
The text was updated successfully, but these errors were encountered:
Confirmed that this is fixed by #48, once that is merged.
Sorry, something went wrong.
solidpixel
No branches or pull requests
Hi,
Our fuzzer found a stack buffer overflow on the function build_huffman (the latest commit 5ff4d86 on master).
PoC: https://github.com/strongcourage/PoCs/blob/master/astc-encoder_5ff4d86/PoC_sbo_build_huffman
ASAN says:
Thanks,
Manh Dung
The text was updated successfully, but these errors were encountered: