psdump icon indicating copy to clipboard operation
psdump copied to clipboard
verified publisher icon alco

heap-buffer-overflow in Function psd_get_layer_channel_image_data()

Open Asteriska001 opened this issue 3 years ago • 0 comments

Description

A heap-buffer-overflow was discovered in psdump. The issue is being triggered in function psd_get_layer_channel_image_data

Environment

Ubuntu 18.04, 64bit

Reproduce

Command git clone the Lastest Version firstly. make && make install ./psdump poc

With ASAN

Note: You can use ASAN for more direct verification. Compile program with address sanitizer with this command:

obj-files = build/main.o build/Document.o build/Layer.o build/Record.o build/LayerGroup.o build/TextFormatter.o build/XmlFormatter.o build/PlistFormatter.o build/PsdParser.o build/JsonFormatter.o
build/lodepng.o libpsd-objects = adjustment.o bevel_emboss.o bitmap.o blend.o boundary.o brightness_contrast.o channel_image.o channel_mixer.o color.o color_balance.o color_mode.o color_overlay.o
curves.o descriptor.o drop_shadow.o effects.o file_header.o fixed.o gaussian_blur.o gradient_blend.o gradient_fill.o gradient_map.o gradient_overlay.o hue_saturation.o image_data.o
image_resource.o inner_glow.o inner_shadow.o invert.o layer_mask.o levels.o outer_glow.o path.o pattern.o pattern_fill.o pattern_overlay.o photo_filter.o posterize.o psd.o psd_system.o
psd_zip.o rect.o satin.o selective_color.o solid_color.o stream.o stroke.o threshold.o thumbnail.o type_tool.o

psdump: build_dir build/libpsd-0.9 $(obj-files) g++ -fsanitize=address $(obj-files) $(libpsd-objects) -o build/psdump

build/libpsd-0.9: gcc -fsanitize=address -Ilibpsd-0.9/include -c libpsd-0.9/src/*.c touch build/libpsd-0.9

build_dir: mkdir -p build

build/main.o: src/main.cpp src/Document.h src/formatter/TextFormatter.h src/formatter/XmlFormatter.h src/formatter/JsonFormatter.h src/parser/PsdParser.h g++ -fsanitize=address -c -Wno-write-strings -Ilibpsd-0.9/include src/main.cpp -o build/main.o build/Document.o: src/Document.cpp src/Document.h g++ -fsanitize=address -c src/Document.cpp -o build/Document.o build/Layer.o: src/Layer.cpp src/Layer.h g++ -fsanitize=address -c src/Layer.cpp -o build/Layer.o build/Record.o: src/Record.cpp src/Record.h g++ -fsanitize=address -c src/Record.cpp -o build/Record.o build/LayerGroup.o: src/LayerGroup.cpp src/LayerGroup.h g++ -fsanitize=address -c src/LayerGroup.cpp -o build/LayerGroup.o build/TextFormatter.o: src/formatter/TextFormatter.cpp src/formatter/TextFormatter.h g++ -fsanitize=address -c src/formatter/TextFormatter.cpp -o build/TextFormatter.o build/PlistFormatter.o: src/formatter/PlistFormatter.cpp src/formatter/PlistFormatter.h g++ -fsanitize=address -c src/formatter/PlistFormatter.cpp -o build/PlistFormatter.o build/XmlFormatter.o: src/formatter/XmlFormatter.cpp src/formatter/XmlFormatter.h g++ -fsanitize=address -c src/formatter/XmlFormatter.cpp -o build/XmlFormatter.o build/JsonFormatter.o: src/formatter/JsonFormatter.cpp src/formatter/JsonFormatter.h g++ -fsanitize=address -c src/formatter/JsonFormatter.cpp -o build/JsonFormatter.o build/PsdParser.o: src/parser/PsdParser.cpp src/parser/PsdParser.h g++ -fsanitize=address -c -Ilibpsd-0.9/include src/parser/PsdParser.cpp -o build/PsdParser.o

build/lodepng.o: src/lodepng/lodepng.cpp src/lodepng/lodepng.h g++ -fsanitize=address-c src/lodepng/lodepng.cpp -o build/lodepng.o

.PHONY: clean, tidyup, shtest, test test: python test/test.py shtest: test/test.sh tidyup: rm -f build/*.o rm -f build/libpsd-0.9 rm -f *.o clean: rm -rf build rm -f *.o

ASAN:

=================================================================
==21952==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x627000003100 at pc 0x7f7e6fb71c33 bp 0x7ffea7e833c0 sp 0x7ffea7e82b68
WRITE of size 67 at 0x627000003100 thread T0
#0 0x7f7e6fb71c32 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
#1 0x564c875605f8 in psd_get_layer_channel_image_data libpsd-0.9/src/channel_image.c:897
#2 0x564c8759a485 in psd_get_layer_info libpsd-0.9/src/layer_mask.c:700
#3 0x564c8759a968 in psd_get_layer_and_mask libpsd-0.9/src/layer_mask.c:785
#4 0x564c875a9d85 in psd_main_loop libpsd-0.9/src/psd.c:194
#5 0x564c875a9903 in psd_image_load_tag libpsd-0.9/src/psd.c:81
#6 0x564c875a998b in psd_image_load libpsd-0.9/src/psd.c:100
#7 0x564c874fd13f in PsdParser::parse() src/parser/PsdParser.cpp:45
#8 0x564c874f85b3 in main src/main.cpp:163
#9 0x7f7e6f5e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#10 0x564c874f7c8d in _start (/AFLplusplus/my_test/tanuki/asan_bin/psdump_x+0xfc8d)

0x627000003100 is located 0 bytes to the right of 12288-byte region [0x627000000100,0x627000003100)
allocated by thread T0 here:
#0 0x7f7e6fbecc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x564c875a9ee1 in psd_malloc libpsd-0.9/src/psd_system.c:10
#2 0x564c8755fc1a in psd_get_layer_channel_image_data libpsd-0.9/src/channel_image.c:804
#3 0x564c8759a485 in psd_get_layer_info libpsd-0.9/src/layer_mask.c:700
#4 0x564c8759a968 in psd_get_layer_and_mask libpsd-0.9/src/layer_mask.c:785
#5 0x564c875a9d85 in psd_main_loop libpsd-0.9/src/psd.c:194
#6 0x564c875a9903 in psd_image_load_tag libpsd-0.9/src/psd.c:81
#7 0x564c875a998b in psd_image_load libpsd-0.9/src/psd.c:100
#8 0x564c874fd13f in PsdParser::parse() src/parser/PsdParser.cpp:45
#9 0x564c874f85b3 in main src/main.cpp:163
#10 0x7f7e6f5e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset
Shadow bytes around the buggy address:
0x0c4e7fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fff85e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fff85f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fff8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fff8610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4e7fff8620:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==21952==ABORTING

POC: 000004.zip

Asteriska001 avatar Apr 07 '22 11:04 Asteriska001