aaphoto
aaphoto copied to clipboard
log69
SIGBART on specially crafted file - f7b09a31
Hi,
Through fuzzing I found a file that would cause a double free or corruption in aaphoto.
I am using aaphoto compiled from commit e566f9b01525c5101599d10cf5a37dd8acdb27d8 with ASAN.
Reproduction command line: aaphoto f7b09a31.jpg
BT:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by`./aaphoto ../aaphoto-0.43.1/out_2/crashes/id:000001,sig:06,src:000011,op:flip32'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007ffff6c45bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0 0x00007ffff6c45bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff6c48fc8 in __GI_abort () at abort.c:89
#2 0x00007ffff6c82e14 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6d915a8 "**\* Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff6c8f0ee in malloc_printerr (ptr=<optimized out>, str=0x7ffff6d916b8 "double free or corruption (top)", action=1) at malloc.c:4996
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5 0x00007ffff7414ed8 in ?? () from /usr/lib/x86_64-linux-gnu/libjasper.so.1
#6 0x00007ffff7415f14 in jas_stream_close () from /usr/lib/x86_64-linux-gnu/libjasper.so.1
#7 0x00007ffff740dc42 in ?? () from /usr/lib/x86_64-linux-gnu/libjasper.so.1
#8 0x00007ffff740dd9e in ?? () from /usr/lib/x86_64-linux-gnu/libjasper.so.1
#9 0x00007ffff740ed9a in jas_image_addcmpt () from /usr/lib/x86_64-linux-gnu/libjasper.so.1
#10 0x00007ffff743a7dc in jpg_decode () from /usr/lib/x86_64-linux-gnu/libjasper.so.1
#11 0x00007ffff740eecd in jas_image_decode () from /usr/lib/x86_64-linux-gnu/libjasper.so.1
#12 0x000000000042d6cf in BITMAP_READ_JASPER (file_name=file_name@entry=0x7fffffffdbb0 "../aaphoto-0.43.1/out_2/crashes/id:000001,sig:06,src:000011,op:flip32,pos:6305") at aaio.c:1256
#13 0x000000000043710d in BITMAP_LOAD (file_name=file_name@entry=0x7fffffffdbb0 "../aaphoto-0.43.1/out_2/crashes/id:000001,sig:06,src:000011,op:flip32,pos:6305") at aaio.c:2157
#14 0x000000000044eb10 in MAIN_RUN (file_name=0x7fffffffdbb0 "../aaphoto-0.43.1/out_2/crashes/id:000001,sig:06,src:000011,op:flip32,pos:6305") at aaphoto.c:485
#15 0x000000000045a838 in MAIN_ARGUMENTS_READ (argc=<optimized out>, argc@entry=2, argv=<optimized out>, argv@entry=0x7fffffffe0f8) at aaphoto.c:1040
#16 0x0000000000402504 in main (argc=2, argv=0x7fffffffe0f8) at aaphoto.c:1130
#17 0x00007ffff6c30ec5 in __libc_start_main (main=0x402470 <main>, argc=2, argv=0x7fffffffe0f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe0e8) at libc-start.c:287
#18 0x0000000000402580 in _start ()
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: f7b09a3116a2b10e407f829998f59d55.c43e5f4d1282b9da17d7b7bc57a1439e
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: AbortSignal (20/22)
exe = './aaphoto ../aaphoto-0.43.1/out_2/crashes/id:000001,sig:06,src:000011,op:flip32'```
System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Found with the fuzzer American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )
