crash on reading malformed PNG
Submitted by xqx
Link to original bug (#795249)
Description
another outbound write bug in gegl. the debug information as follows:
======== gdb --args gegl $POC [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(gegl:201): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead
(gegl:201): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range. LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range.
** (gegl:201): WARNING **: No display handler operation found for gegl:display LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range. [New Thread 0x7fffef432700 (LWP 202)]
Thread 1 "gegl" received signal SIGSEGV, Segmentation fault. babl_format_get_bytes_per_pixel (format=0x824871a0) at babl-format.c:538 538 if (format->class_type == BABL_FORMAT) $ bt
#0 babl_format_get_bytes_per_pixel (format=0x824871a0) at babl-format.c:538
#1 0x00007ffff7b06ad5 in constructed (object=<optimized out>) at ../../../gegl/gegl/buffer/gegl-tile-backend.c:128
#2 0x00007ffff7b0f37b in gegl_tile_backend_swap_constructed (object=0x7355c0) at ../../../gegl/gegl/buffer/gegl-tile-backend-swap.c:825
#3 0x00007ffff77b1897 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#4 0x00007ffff77b31b5 in g_object_new_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5 0x00007ffff77b3521 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6 0x00007ffff7a819a1 in gegl_buffer_constructor (type=<optimized out>, n_params=16, params=<optimized out>) at ../../../gegl/gegl/buffer/gegl-buffer.c:578
#7 0x00007ffff77b1149 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8 0x00007ffff77b31b5 in g_object_new_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#9 0x00007ffff77b3521 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#10 0x00007ffff7b5114f in gegl_node_get_cache (node=<optimized out>) at ../../../gegl/gegl/graph/gegl-node.c:2015
#11 0x00007ffff7b6e471 in gegl_processor_set_rectangle (processor=0x735460, rectangle=<optimized out>) at ../../../gegl/gegl/process/gegl-processor.c:366
#12 0x00007ffff77b170d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00007ffff77b31b5 in g_object_new_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x00007ffff77b3521 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#15 0x00007ffff7b732dc in gegl_node_new_processor (node=<optimized out>, rectangle=<optimized out>) at ../../../gegl/gegl/process/gegl-processor.c:829
#16 0x00007ffff7b50a4a in gegl_node_process (self=0x6962c0) at ../../../gegl/gegl/graph/gegl-node.c:1825
#17 0x00000000004039ea in main (argc=<optimized out>, argv=<optimized out>) at ../../gegl/bin/gegl.c:255
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: 2de8b3adb00a42a787c6c00f820ea8be.4b5b031fbd08ebbe2eb2f77fcda9adc2
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (21/22)
======= the poc please refer to : https://github.com/xiaoqx/pocs/blob/master/gegl/gegl-outbound-write-2