pnm2png stack-buffer-overflow #221
Comments
|
Thank you, but could you please resend your crash input? |
|
I can't reproduce the problem. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear pngminus team,
During my research, I have found a stack-buffer-overflow in your program pnm2png
in the pngminus suite (version 1.6.34,running on ArchLinux). I've attached the crashing input (it is contained in the zip folder):
pnm2png.crash.zip
Find below the output of AddressSanitizer.
Best,
Vincent
[root@9385a1b14cf9 tmp]# pnm2png /test/crashpng/pnm2png.crash
==27656==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda5b82800 at pc 0x561f21026cfc bp 0x7ffda5b82630 sp 0x7ffda5b82628
WRITE of size 1 at 0x7ffda5b82800 thread T0
#0 0x561f21026cfb (/usr/bin/pnm2png+0x118cfb)
#1 0x561f21026193 (/usr/bin/pnm2png+0x118193)
#2 0x7f918c4abf49 (/usr/lib/libc.so.6+0x20f49)
#3 0x561f20f292f9 (/usr/bin/pnm2png+0x1b2f9)
Address 0x7ffda5b82800 is located in stack of thread T0 at offset 128 in frame
#0 0x561f210266af (/usr/bin/pnm2png+0x1186af)
This frame has 18 object(s):
[32, 40) 'png_ptr' (line 206)
[64, 72) 'info_ptr' (line 207)
[96, 100) 'row_bytes' (line 211)
[112, 128) 'type_token' (line 213) <== Memory access at offset 128 overflows this variable
[144, 160) 'width_token' (line 214)
[176, 192) 'height_token' (line 215)
[208, 224) 'maxval_token' (line 216)
[240, 244) 'color_type' (line 217)
[256, 264) 'ul_width' (line 218)
[288, 296) 'ul_alpha_width' (line 218)
[320, 328) 'ul_height' (line 219)
[352, 360) 'ul_alpha_height' (line 219)
[384, 392) 'ul_maxval' (line 220)
[416, 420) 'width' (line 221)
[432, 436) 'height' (line 221)
[448, 452) 'alpha_width' (line 222)
[464, 468) 'alpha_height' (line 222)
[480, 484) 'bit_depth' (line 224)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/bin/pnm2png+0x118cfb)
Shadow bytes around the buggy address:
0x100034b684b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034b684c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034b684d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034b684e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034b684f0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 00
=>0x100034b68500:[f2]f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 04 f2
0x100034b68510: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
0x100034b68520: 00 f2 f2 f2 04 f2 04 f2 04 f2 04 f2 04 f3 f3 f3
0x100034b68530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034b68540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034b68550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27656==ABORTING
Aborted
The text was updated successfully, but these errors were encountered: