stegdetect icon indicating copy to clipboard operation
stegdetect copied to clipboard
verified publisher icon abeluck

Out-of-bound write

Open D4rkD0g opened this issue 7 years ago • 4 comments

sirius@lambda:~/Desktop/stegdetect-master$ valgrind ./stegdetect -tF ../crashes/id:000001,sig:11,src:000000,op:flip1,pos:297 ==91335== Memcheck, a memory error detector ==91335== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==91335== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==91335== Command: ./stegdetect -tF ../crashes/id:000001,sig:11,src:000000,op:flip1,pos:297 ==91335== ==91335== Invalid write of size 4 ==91335== at 0x40ACF5: f5_compress (f5.c:126) ==91335== by 0x40BE79: detect_f5 (f5.c:505) ==91335== by 0x4067C7: detect (stegdetect.c:1213) ==91335== by 0x402087: main (stegdetect.c:1568) ==91335== Address 0x80 is not stack'd, malloc'd or (recently) free'd ==91335== ==91335== ==91335== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==91335== Access not within mapped region at address 0x80 ==91335== at 0x40ACF5: f5_compress (f5.c:126) ==91335== by 0x40BE79: detect_f5 (f5.c:505) ==91335== by 0x4067C7: detect (stegdetect.c:1213) ==91335== by 0x402087: main (stegdetect.c:1568) ==91335== If you believe this happened as a result of a stack ==91335== overflow in your program's main thread (unlikely but ==91335== possible), you can try to increase the size of the ==91335== main thread stack using the --main-stacksize= flag. ==91335== The main thread stack size used in this run was 8388608. ==91335== ==91335== HEAP SUMMARY: ==91335== in use at exit: 143,896 bytes in 79 blocks ==91335== total heap usage: 83 allocs, 4 frees, 150,144 bytes allocated ==91335== ==91335== LEAK SUMMARY: ==91335== definitely lost: 108,664 bytes in 3 blocks ==91335== indirectly lost: 0 bytes in 0 blocks ==91335== possibly lost: 0 bytes in 0 blocks ==91335== still reachable: 35,232 bytes in 76 blocks ==91335== suppressed: 0 bytes in 0 blocks ==91335== Rerun with --leak-check=full to see details of leaked memory ==91335== ==91335== For counts of detected and suppressed errors, rerun with: -v ==91335== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault

2

the poc

D4rkD0g avatar Oct 23 '18 08:10 D4rkD0g

CVE-2018-18599 has been assigned for this issue. @D4rkD0g Thank you for your work. Btw you should minimize crashing samples. Sample minimized with afl-tmin 2.52b here: CVE-2018-18599.jpeg.zip

cbc06736f17753db5b3a5f6544d9777a37bacd63 CVE-2018-18599.jpeg aa5eea508b6cddb4ed3e89ecb7b6650cab398aff CVE-2018-18599.jpeg.zip

fgeek avatar Oct 24 '18 06:10 fgeek

@D4rkD0g why did you close this issue report?

fgeek avatar Oct 24 '18 06:10 fgeek

@fgeek I'm SORRY for my mishandling ,I thought it was notified by the developer. I'll reopen it and get your suggestions .Thank you😀

D4rkD0g avatar Oct 24 '18 08:10 D4rkD0g

Thank you for finding this bug.

However this is merely a code-mirror of an unmaintained research project. I won't be acting on this report.

As such, I've added a disclaimer to the top of the README and will leave this issue open as a signpost to future developers (if they ever wander here).

abeluck avatar Oct 31 '18 08:10 abeluck