AddressSanitizer: negative-size-param of memset in function gdk_pixbuf_gif_anim_iter_get_pixbuf, io-gif-animation.c
POC file: poc1.zip
Trigger command: ./gdk-pixbuf-pixdata poc1 /dev/null
# ./gdk-pixbuf-pixdata poc1 /dev/null
=================================================================
==175786==ERROR: AddressSanitizer: negative-size-param: (size=-1816658060)
#0 0x7ffff6ef6c79 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cc79)
#1 0x492fcc in gdk_pixbuf_gif_anim_iter_get_pixbuf ../gdk-pixbuf/io-gif-animation.c:419
#2 0x48e317 in gdk_pixbuf__gif_image_load ../gdk-pixbuf/io-gif.c:903
#3 0x416285 in gdk_pixbuf_new_from_file ../gdk-pixbuf/gdk-pixbuf-io.c:1135
#4 0x409450 in main ../gdk-pixbuf/gdk-pixbuf-pixdata.c:77
#5 0x7ffff52cbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#6 0x40a488 in _start (/d/p/aflasan/latest_gdk-pixbuf-pixdata+0x40a488)
0x7fff5d47f800 is located 0 bytes inside of 2478309236-byte region [0x7fff5d47f800,0x7ffff0fff774)
allocated by thread T0 here:
#0 0x7ffff6f02612 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98612)
#1 0x43bfb8 in gdk_pixbuf_new ../gdk-pixbuf/gdk-pixbuf.c:528
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memset
==175786==ABORTING
Build information
I used afl-gcc and export AFL_USE_ASAN=1
to compile.
docker run -it --rm zjuchenyuan/afl
# cat /etc/issue
Ubuntu 16.04.6 LTS \n \l
# cat .git/refs/heads/master
3c7740498fd31b6746dd7e04601886766a6644b7
pip3 install meson
apt install -y ninja-build libglib2.0-dev libpng12-dev libtiff5-dev gettext libgettextpo-dev
git clone https://gitlab.gnome.org/GNOME/gdk-pixbuf
cd gdk-pixbuf
meson _build . -Dx11=false -Dman=false -Dinstalled_tests=false -Dgir=false -Dbuiltin_loaders=all -Ddefault_library=static
cd _build
ninja
Then it failes due to 2 issues:
../gdk-pixbuf/io-gif-animation.c: In function ‘gdk_pixbuf_gif_anim_iter_get_pixbuf’:
../gdk-pixbuf/io-gif-animation.c:418:17: error: implicit declaration of function ‘memset’ [-Werror=implicit-function-declaration]
memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
^
../gdk-pixbuf/io-gif-animation.c:418:17: warning: incompatible implicit declaration of built-in function ‘memset’
../gdk-pixbuf/io-gif-animation.c:418:17: note: include ‘<string.h>’ or provide a declaration of ‘memset’
../gdk-pixbuf/io-gif-animation.c:443:33: warning: incompatible implicit declaration of built-in function ‘memset’
memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
^
../gdk-pixbuf/io-gif-animation.c:443:33: note: include ‘<string.h>’ or provide a declaration of ‘memset’
cc1: some warnings being treated as errors
../tests/pixbuf-gif.c:93:17: error: implicit declaration of function ‘g_file_load_bytes’ [-Werror=implicit-function-declaration]
input_bytes = g_file_load_bytes (input_file, NULL, NULL, &error);
It seems #include <string.h>
line is missing in gdk-pixbuf/io-gif-animation.c
, and my glib version 2.48.2
do not have function g_file_load_bytes
, so I made some modifications to the code and continue to bulid:
cd .. # return back to code dir
sed -i "1i#include <string.h>" gdk-pixbuf/io-gif-animation.c
sed -i "57d" tests/meson.build # remove line [ 'pixbuf-gif', ['io'], ],
rm -r _build
meson _build . -Dx11=false -Dman=false -Dinstalled_tests=false -Dgir=false -Dbuiltin_loaders=all -Ddefault_library=static
cd _build
AFL_USE_ASAN=1 ASAN_OPTIONS="detect_leaks=0" ninja
To validate crash:
wget https://gitlab.gnome.org/GNOME/gdk-pixbuf/uploads/a68dee3aaf8b80634f0b10d3f536e714/poc1.zip
unzip poc1.zip
./gdk-pixbuf/gdk-pixbuf-pixdata poc1 /dev/null