Skip to content
GitLab
Closed
Created by ChenYuan@zjuchenyuan

AddressSanitizer: negative-size-param of memset in function gdk_pixbuf_gif_anim_iter_get_pixbuf, io-gif-animation.c

POC file: poc1.zip

Trigger command: ./gdk-pixbuf-pixdata poc1 /dev/null

# ./gdk-pixbuf-pixdata poc1 /dev/null
=================================================================
==175786==ERROR: AddressSanitizer: negative-size-param: (size=-1816658060)
    #0 0x7ffff6ef6c79 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cc79)
    #1 0x492fcc in gdk_pixbuf_gif_anim_iter_get_pixbuf ../gdk-pixbuf/io-gif-animation.c:419
    #2 0x48e317 in gdk_pixbuf__gif_image_load ../gdk-pixbuf/io-gif.c:903
    #3 0x416285 in gdk_pixbuf_new_from_file ../gdk-pixbuf/gdk-pixbuf-io.c:1135
    #4 0x409450 in main ../gdk-pixbuf/gdk-pixbuf-pixdata.c:77
    #5 0x7ffff52cbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x40a488 in _start (/d/p/aflasan/latest_gdk-pixbuf-pixdata+0x40a488)

0x7fff5d47f800 is located 0 bytes inside of 2478309236-byte region [0x7fff5d47f800,0x7ffff0fff774)
allocated by thread T0 here:
    #0 0x7ffff6f02612 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98612)
    #1 0x43bfb8 in gdk_pixbuf_new ../gdk-pixbuf/gdk-pixbuf.c:528

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memset
==175786==ABORTING

Build information

I used afl-gcc and export AFL_USE_ASAN=1 to compile.

docker run -it --rm zjuchenyuan/afl
# cat /etc/issue
Ubuntu 16.04.6 LTS \n \l

# cat .git/refs/heads/master
3c7740498fd31b6746dd7e04601886766a6644b7
pip3 install meson
apt install -y ninja-build libglib2.0-dev libpng12-dev libtiff5-dev gettext libgettextpo-dev
git clone https://gitlab.gnome.org/GNOME/gdk-pixbuf
cd gdk-pixbuf
meson _build . -Dx11=false -Dman=false -Dinstalled_tests=false -Dgir=false -Dbuiltin_loaders=all -Ddefault_library=static
cd _build
ninja

Then it failes due to 2 issues:

../gdk-pixbuf/io-gif-animation.c: In function ‘gdk_pixbuf_gif_anim_iter_get_pixbuf’:
../gdk-pixbuf/io-gif-animation.c:418:17: error: implicit declaration of function ‘memset’ [-Werror=implicit-function-declaration]
                 memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
                 ^
../gdk-pixbuf/io-gif-animation.c:418:17: warning: incompatible implicit declaration of built-in function ‘memset’
../gdk-pixbuf/io-gif-animation.c:418:17: note: include ‘<string.h>’ or provide a declaration of ‘memset’
../gdk-pixbuf/io-gif-animation.c:443:33: warning: incompatible implicit declaration of built-in function ‘memset’
                                 memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
                                 ^
../gdk-pixbuf/io-gif-animation.c:443:33: note: include ‘<string.h>’ or provide a declaration of ‘memset’
cc1: some warnings being treated as errors
../tests/pixbuf-gif.c:93:17: error: implicit declaration of function ‘g_file_load_bytes’ [-Werror=implicit-function-declaration]
   input_bytes = g_file_load_bytes (input_file, NULL, NULL, &error);

It seems #include <string.h> line is missing in gdk-pixbuf/io-gif-animation.c, and my glib version 2.48.2 do not have function g_file_load_bytes, so I made some modifications to the code and continue to bulid:

cd .. # return back to code dir
sed -i "1i#include <string.h>"  gdk-pixbuf/io-gif-animation.c
sed -i "57d" tests/meson.build # remove line [ 'pixbuf-gif', ['io'], ],
rm -r _build
meson _build . -Dx11=false -Dman=false -Dinstalled_tests=false -Dgir=false -Dbuiltin_loaders=all -Ddefault_library=static
cd _build
AFL_USE_ASAN=1 ASAN_OPTIONS="detect_leaks=0" ninja

To validate crash:

wget https://gitlab.gnome.org/GNOME/gdk-pixbuf/uploads/a68dee3aaf8b80634f0b10d3f536e714/poc1.zip
unzip poc1.zip
./gdk-pixbuf/gdk-pixbuf-pixdata poc1 /dev/null
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information