-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stb_image.h: stbi__hdr_load heap overflow #317
Comments
Is there a reason you're posting a script that generates the file rather than attaching the file? |
Well the file itself would be a single instance of things gone wrong, while the script can be used to generate other edge cases and test a potential fix more thoroughly. |
Only if I have whatever fuzzing tool you're using? I don't even have python installed, so it's not particularly useful to me either way. |
Well this one just generates an evil.hdr file that triggers the issue. There is no additional dependency on anything, just need Python. If you don't want to install Python you might be able to use an online compiler maybe, haven't tried any though. |
I've actually been doing a fuzz of the stb_image.h file and have independently identified most of the issues that @cryptoad has found here. I've been using AFL -- http://lcamtuf.coredump.cx/afl/ -- which is very easy to set up and get running. For reference, here is a zip of the file produced by the above script, and I've reproed that it does seg fault. |
Attached is a diff that seems to fix the issues reported (and a couple more). |
Runs need to be bounds checked. Fixes issues nothings#315, nothings#317.
Runs need to be bounds checked. Fixes issues nothings#315, nothings#317.
There is a heap overflow condition in the HDR parsing due to the RLE decoding loop not checking that there is enough space in the allocated buffer.
An HDR triggering the vulnerability can be generated with the following Python script:
And here is the ASan report:
The text was updated successfully, but these errors were encountered: