AddressSanitizer: heap-buffer-overflow in function OneLine8 and function OneLine4
poc3_heap-buffer-overflow_OneLine8
poc4_heap-buffer-overflow_OneLine4
Step 6/7 : RUN ./gdk-pixbuf/_build/gdk-pixbuf/gdk-pixbuf-pixdata poc3_heap-buffer-overflow_OneLine8 /dev/null || exit 0
---> Running in 9244982d2ba6
=================================================================
==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001c264 at pc 0x00000046fe1b bp 0x7ffffffee6b0 sp 0x7ffffffee6a0
READ of size 1 at 0x61d00001c264 thread T0
#0 0x46fe1a in OneLine8 ../gdk-pixbuf/io-ico.c:737
#1 0x46fe1a in OneLine ../gdk-pixbuf/io-ico.c:869
#2 0x46fe1a in gdk_pixbuf__ico_image_load_increment ../gdk-pixbuf/io-ico.c:965
#3 0x40b83b in generic_load_incrementally ../gdk-pixbuf/gdk-pixbuf-io.c:1036
#4 0x415cb5 in gdk_pixbuf_new_from_file ../gdk-pixbuf/gdk-pixbuf-io.c:1135
#5 0x40929f in main ../gdk-pixbuf/gdk-pixbuf-pixdata.c:77
#6 0x7ffff53b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x40a378 in _start (/gdk-pixbuf/_build/gdk-pixbuf/gdk-pixbuf-pixdata+0x40a378)
0x61d00001c264 is located 114 bytes to the right of 2418-byte region [0x61d00001b880,0x61d00001c1f2)
allocated by thread T0 here:
#0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x46f4b4 in DecodeHeader ../gdk-pixbuf/io-ico.c:456
#2 0x46f4b4 in gdk_pixbuf__ico_image_load_increment ../gdk-pixbuf/io-ico.c:973
SUMMARY: AddressSanitizer: heap-buffer-overflow ../gdk-pixbuf/io-ico.c:737 OneLine8
Shadow bytes around the buggy address:
0x0c3a7fffb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffb810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffb820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffb830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 fa
=>0x0c3a7fffb840: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c3a7fffb850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7==ABORTING
Removing intermediate container 9244982d2ba6
---> 5bdfd5a96846
Step 7/7 : RUN ./gdk-pixbuf/_build/gdk-pixbuf/gdk-pixbuf-pixdata poc4_heap-buffer-overflow_OneLine4 /dev/null || exit 0
---> Running in 26fa1f4dd8e4
=================================================================
==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00000fb20 at pc 0x000000470a45 bp 0x7ffffffee6b0 sp 0x7ffffffee6a0
READ of size 1 at 0x61e00000fb20 thread T0
#0 0x470a44 in OneLine4 ../gdk-pixbuf/io-ico.c:766
#1 0x470a44 in OneLine ../gdk-pixbuf/io-ico.c:871
#2 0x470a44 in gdk_pixbuf__ico_image_load_increment ../gdk-pixbuf/io-ico.c:965
#3 0x40b83b in generic_load_incrementally ../gdk-pixbuf/gdk-pixbuf-io.c:1036
#4 0x415cb5 in gdk_pixbuf_new_from_file ../gdk-pixbuf/gdk-pixbuf-io.c:1135
#5 0x40929f in main ../gdk-pixbuf/gdk-pixbuf-pixdata.c:77
#6 0x7ffff53b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x40a378 in _start (/gdk-pixbuf/_build/gdk-pixbuf/gdk-pixbuf-pixdata+0x40a378)
0x61e00000fb20 is located 2 bytes to the right of 2718-byte region [0x61e00000f080,0x61e00000fb1e)
allocated by thread T0 here:
#0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x46d09b in DecodeHeader ../gdk-pixbuf/io-ico.c:350
#2 0x46d09b in gdk_pixbuf__ico_image_load_increment ../gdk-pixbuf/io-ico.c:973
SUMMARY: AddressSanitizer: heap-buffer-overflow ../gdk-pixbuf/io-ico.c:766 OneLine4
Shadow bytes around the buggy address:
0x0c3c7fff9f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff9f60: 00 00 00 06[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7==ABORTING
reproducible docker image has been pushed to zjuchenyuan/dockerized_poc:gdk-pixbuf
, Dockerfile:
FROM zjuchenyuan/afl
RUN apt update &&\
apt install -y ninja-build libglib2.0-dev libpng12-dev libtiff5-dev gettext libgettextpo-dev &&\
pip3 install meson &&\
git clone https://gitlab.gnome.org/GNOME/gdk-pixbuf &&\
cd gdk-pixbuf &&\
git checkout 3c7740498fd31b6746dd7e04601886766a6644b7 &&\
sed -i "1i#include <string.h>" gdk-pixbuf/io-gif-animation.c &&\
sed -i "57d" tests/meson.build &&\
meson _build . -Dx11=false -Dman=false -Dinstalled_tests=false -Dgir=false -Dbuiltin_loaders=all -Ddefault_library=static &&\
cd _build &&\
AFL_USE_ASAN=1 ASAN_OPTIONS="detect_leaks=0" ninja
ADD . /
RUN ./gdk-pixbuf/_build/gdk-pixbuf/gdk-pixbuf-pixdata poc3_heap-buffer-overflow_OneLine8 /dev/null || exit 0
RUN ./gdk-pixbuf/_build/gdk-pixbuf/gdk-pixbuf-pixdata poc4_heap-buffer-overflow_OneLine4 /dev/null || exit 0