Package: gocr Version: 0.49-2+b1 Severity: important Tags: security heap buffer overflow running gocr with "poc" option
Running 'gocr poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/gocr/00004223$ ../../binary/gocr-0.49/src/gocr poc ================================================================= ==5380==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffc1 at pc 0x55555562c95f bp 0x7fffffff4da0 sp 0x7fffffff4d98 READ of size 1 at 0x61400000ffc1 thread T0 #0 0x55555562c95e in thresholding /home/june/temp/report/binary/gocr-0.49/src/otsu.c:255 #1 0x55555558bf0c in pgm2asc /home/june/temp/report/binary/gocr-0.49/src/pgm2asc.c:2790 #2 0x55555556a1d8 in main /home/june/temp/report/binary/gocr-0.49/src/gocr.c:368 #3 0x7ffff65972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #4 0x555555568149 in _start (/home/june/temp/report/binary/gocr-0.49/src/gocr+0x14149) 0x61400000ffc1 is located 0 bytes to the right of 385-byte region [0x61400000fe40,0x61400000ffc1) allocated by thread T0 here: #0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x555555642c50 in readpgm /home/june/temp/report/binary/gocr-0.49/src/pnm.c:225 #2 0x555555569e93 in read_picture /home/june/temp/report/binary/gocr-0.49/src/gocr.c:310 #3 0x55555556a1ba in main /home/june/temp/report/binary/gocr-0.49/src/gocr.c:361 #4 0x7ffff65972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/june/temp/report/binary/gocr-0.49/src/otsu.c:255 in thresholding Shadow bytes around the buggy address: 0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c287fff9ff0: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa 0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5380==ABORTING This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gocr depends on: ii libc6 2.24-11+deb9u1 Versions of packages gocr recommends: ii bzip2 1.0.6-8.1 ii fig2dev [transfig] 1:3.2.6a-2+deb9u1 ii libjpeg-turbo-progs [libjpeg-progs] 1:1.5.1-2 ii netpbm 2:10.0-15.3+b2 ii transfig 1:3.2.6a-2+deb9u1 gocr suggests no packages. -- no debconf information
poc
Description: Binary data