from:"Jaeseung Choi"

Bug#914454: Stacktrace of invalid memory write crash in canon_rmf_load_raw()

2018-12-04 Thread Jaeseung Choi

Thank you for the information and sorry for the delay.

With your instruction, I could get the following stacktrace.

-
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xf4bc in canon_rmf_load_raw () at dcraw.c:1999
1999dcraw.c: No such file or directory.
(gdb) where
#0  0xf4bc in canon_rmf_load_raw () at dcraw.c:1999
#1  0xb1bc in main (argc=2, argv=0x7fffe568) at
dcraw.c:10150
(gdb) x/i $rip
=> 0xf4bc : mov%si,(%r8,%rdx,2)
-


Sincerely,

Jason Choi.

Bug#914453: Stacktrace of stack-buffer-overflow in quicktake_100_load_raw()

2018-12-04 Thread Jaeseung Choi

Thank you for the information and sorry for the delay.

With your instruction, I could get the following stacktrace.

-
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xdd08 in quicktake_100_load_raw () at dcraw.c:2145
2145dcraw.c: No such file or directory.
(gdb) where
#0  0xdd08 in quicktake_100_load_raw () at dcraw.c:2145
#1  0x in ?? ()
(gdb) x/i $rip
=> 0xdd08 : mov%al,(%r15)
-


Sincerely,

Jason Choi.

Bug#914447: Stacktrace of invalid memory write crash in kodak_radc_load_raw()

2018-12-04 Thread Jaeseung Choi

Thank you for the information and sorry for the delay.

With your instruction, I could get the following stacktrace.

-
Program terminated with signal SIGBUS, Bus error.
#0  kodak_radc_load_raw () at dcraw.c:2240
2240dcraw.c: No such file or directory.
(gdb) where
#0  kodak_radc_load_raw () at dcraw.c:2240
#1  0xb1bc in main (argc=2, argv=0x7fffe568) at
dcraw.c:10150
(gdb) x/i $rip
=> 0xe677 :   mov
%di,0x6f8(%rsp,%rdx,2)
-


Sincerely,

Jason Choi.

Bug#914459: dcraw-9.27-1 : dcparse : stack overflow due to infinite recursion in parse_mos()

2018-11-23 Thread Jaeseung Choi

Package: dcraw
Version: 9.27-1+b1
Severity: normal

Dear Maintainer,

Running 'dcparse' program of 'dcraw-9.27' package with the attached input
file raises a crash caused by stack-overflow in parse_mos().

First, below is the GDB log that shows crash from dcparse binary downloaded
with 'apt-get'.

jason@debian-amd64-stretch:~/dcparse-crashes$ ulimit -c unlimited
jason@debian-amd64-stretch:~/dcparse-crashes$ dcparse ./crash-0_00025607 >
/dev/null
Segmentation fault (core dumped)
jason@debian-amd64-stretch:~/dcparse-crashes$ gdb -q dcparse core
Reading symbols from dcparse...(no debugging symbols found)...done.
[New LWP 1372]
Core was generated by `dcparse ./crash-0_00025607'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x7753389b in __GI__IO_padn (fp=fp@entry=0x77865600
<_IO_2_1_stdout_>, pad=pad@entry=32, count=count@entry=47362) at iopadn.c:56
56  iopadn.c: No such file or directory.
(gdb) where
#0  0x7753389b in __GI__IO_padn (fp=fp@entry=0x77865600
<_IO_2_1_stdout_>, pad=pad@entry=32, count=count@entry=47362) at iopadn.c:56
#1  0x77512e3b in _IO_vfprintf_internal (s=0x77865600
<_IO_2_1_stdout_>, format=, ap=ap@entry=0x7f80af08) at
vfprintf.c:1637
#2  0x775c1c0f in ___printf_chk (flag=1, format=) at
printf_chk.c:35
#3  0x62f6 in ?? ()
#4  0x64a6 in ?? ()
#5  0x64a6 in ?? ()
#6  0x64a6 in ?? ()
-

Since the downloaded binary did not have any symbol information, we
downloaded its code and compiled it with AddressSanitizer.
AddressSanitizer reported a stack overflow in parse_mos(), as below.
-
=
==16203==ERROR: AddressSanitizer: stack-overflow on address 0x7f7feff8
(pc 0x76ce4bfa bp 0x6211cd00 sp 0x7f7ff000 T0)
#0 0x76ce4bf9 in _IO_file_write
/build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:1263
#1 0x76ce6408 in new_do_write
/build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:518
#2 0x76ce6408 in _IO_do_write
/build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:494
#3 0x76ce547c in _IO_file_xsputn
/build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:1331
#4 0x76cdafbd in _IO_padn
/build/glibc-Cl5G7W/glibc-2.23/libio/iopadn.c:56
#5 0x76cbab1b in _IO_vfprintf
/build/glibc-Cl5G7W/glibc-2.23/stdio-common/vfprintf.c:1632
#6 0x460f07 in __interceptor_vprintf
(/home/jason/Chatkey/replay_box/dcparse+0x460f07)
#7 0x460fd7 in printf (/home/jason/Chatkey/replay_box/dcparse+0x460fd7)
#8 0x4ef0be in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:670:5
#9 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#10 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#11 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#12 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#13 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#14 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#15 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#16 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#17 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#18 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#19 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
#20 0x4ef377 in parse_mos
/home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5
   ...
   ...
  ...
SUMMARY: AddressSanitizer: stack-overflow
/build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:1263 in _IO_file_write
==16203==ABORTING
-


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default
locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dcraw depends on:
ii  libc62.24-11+deb9u3
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  
ii  netpbm   2:10.0-15.3+b2

-- debconf information excluded


crash-0_00025607
Description: Binary data

Bug#914454: dcraw-9.27-1 : invalid memory write crash in canon_rmf_load_raw()

2018-11-23 Thread Jaeseung Choi

Package: dcraw
Version: 9.27-1+b1
Severity: normal

Dear Maintainer,

Running dcraw-9.27 the attached input file raises a crash caused by invalid
memory write in canon_rmf_load_raw().

First, below is the GDB log that shows crash from dcraw-9.27 binary
downloaded with 'apt-get'.


jason@debian-amd64-stretch:~/dcraw-crashes$ gdb -q dcraw
Reading symbols from dcraw...(no debugging symbols found)...done.
(gdb) run crash-30_00070116
Starting program: /usr/bin/dcraw crash-30_00070116
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xf4bc in ?? ()
(gdb) x/i $rip
=> 0xf4bc:  mov%si,(%r8,%rdx,2)
(gdb) info reg r8 rdx rsi
r8 0x7ffe7d583010   140731001352208
rdx0xbccf917a   -1127247494
rsi0x   65535

-

Since the downloaded binary did not have any symbol information, we
downloaded its code and compiled it with AddressSanitizer.
While AddressSanitizer failed to identify the root cause of the bug, it
reported an invalid memory access error in canon_rmf_load_raw(), as below.
-

ASAN:DEADLYSIGNAL
=
==5095==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffdf45e5af4 (pc
0x00513322 bp 0x7fffda90 sp 0x7fffda20 T0)
#0 0x513321 in canon_rmf_load_raw
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:1999:17
#1 0x5bc6e6 in main
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:10150:10
#2 0x76a3582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x4196c8 in _start (/home/jason/Chatkey/replay_box/dcraw+0x4196c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:1999:17 in
canon_rmf_load_raw
==5095==ABORTING
-


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default
locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dcraw depends on:
ii  libc62.24-11+deb9u3
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  
ii  netpbm   2:10.0-15.3+b2

-- debconf information excluded


crash-30_00070116
Description: Binary data

Bug#914453: dcraw-9.27-1 : stack-buffer-overflow in quicktake_100_load_raw()

2018-11-23 Thread Jaeseung Choi

Package: dcraw
Version: 9.27-1+b1
Severity: normal

Dear Maintainer,

Running dcraw-9.27 with the attached input file raises a crash caused by
stack-buffer-overflow in quicktake_100_load_raw().

First, below is the GDB log that shows a crash from dcraw-9.27 binary
downloaded with 'apt-get'.

jason@debian-amd64-stretch:~/dcraw-crashes$ gdb -q dcraw
Reading symbols from dcraw...(no debugging symbols found)...done.
(gdb) run crash-2_0011
Starting program: /usr/bin/dcraw crash-2_0011
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
crash-2_0011: Unexpected end of file

Program received signal SIGSEGV, Segmentation fault.
0xdd08 in ?? ()
(gdb) x/i $rip
=> 0xdd08:  mov%al,(%r15)
(gdb) info reg r15
r150x7000   140737488351232
-

Since the downloaded binary did not have any symbol information, we
downloaded its source code and compiled it with AddressSanitizer.
AddressSanitizer reported a stack-based buffer overflow in
quicktake_100_load_raw(), as below.
-
=
==5011==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffd931 at pc 0x00516332 bp 0x7ffb1410 sp 0x7ffb1408
WRITE of size 1 at 0x7fffd931 thread T0
#0 0x516331 in quicktake_100_load_raw
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2145:23
#1 0x5bc6e6 in main
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:10150:10
#2 0x76a3582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x4196c8 in _start (/home/jason/Chatkey/replay_box/dcraw+0x4196c8)

Address 0x7fffd931 is located in stack of thread T0 at offset 311729 in
frame
#0 0x515d9f in quicktake_100_load_raw
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2116

  This frame has 1 object(s):
[32, 311728) 'pixel' <== Memory access at offset 311729 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
  (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2145:23 in
quicktake_100_load_raw
Shadow bytes around the buggy address:
  0x10007fff7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7b20: 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10007fff7b30: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10007fff7b40: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==5011==ABORTING

-


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default
locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dcraw depends on:
ii  libc62.24-11+deb9u3
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  
ii  netpbm   2:10.0-15.3+b2

-- debconf information excluded


crash-2_0011
Description: Binary data

Bug#914447: dcraw-9.27-1 : invalid memory write crash in kodak_radc_load_raw()

2018-11-23 Thread Jaeseung Choi

Package: dcraw
Version: 9.27-1+b1
Severity: normal

Dear Maintainer,

Running dcraw-9.27 the attached input file raises a crash caused by invalid
memory write in kodak_radc_load_raw().

First, below is the GDB log that shows crash from dcraw-9.27 binary
downloaded with 'apt-get'.

jason@debian-amd64-stretch:~/dcraw-crashes$ gdb -q dcraw
Reading symbols from dcraw...(no debugging symbols found)...done.
(gdb) run ./crash-1_0009
Starting program: /usr/bin/dcraw ./crash-1_0009
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
./crash-1_0009: Unexpected end of file

Program received signal SIGBUS, Bus error.
0xe677 in ?? ()
(gdb) x/i $rip
=> 0xe677:  mov%di,0x6f8(%rsp,%rdx,2)
(gdb) info reg rsp rdx
rsp0x7fffa120   0x7fffa120
rdx0x7fff   32767
-

Since the downloaded binary did not have any symbol information, we
downloaded its code and compiled it with AddressSanitizer.
While AddressSanitizer failed to identify the root cause of the bug, it
reported an invalid memory access error in kodak_radc_load_raw(), as below.
-
==4934==ERROR: AddressSanitizer: SEGV on unknown address 0x10007fff97ec (pc
0x0051920b bp 0x7fffda90 sp 0x7fff9200 T0)
#0 0x51920a in kodak_radc_load_raw
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2240:42
#1 0x5bc6e6 in main
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:10150:10
#2 0x76a3582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x4196c8 in _start (/home/jason/Chatkey/replay_box/dcraw+0x4196c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2240:42 in
kodak_radc_load_raw
==4934==ABORTING
-


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default
locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dcraw depends on:
ii  libc62.24-11+deb9u3
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  
ii  netpbm   2:10.0-15.3+b2

-- debconf information excluded


crash-1_0009
Description: Binary data

Bug#907467: ufraw-batch: NULL dereference in ufraw_batch_messenger

2018-08-28 Thread Jaeseung Choi

Package: ufraw-batch
Version: 0.22-1.1
Severity: normal

Dear Maintainer,

Running ufraw-batch with the attached poc file raises a NULL dereference
crash in ufraw_batch_messenger() function.

Following gdb log shows the program crashing with segfault.

jason@debian-amd64-stretch:~/report/source-latest/ufraw$ gdb
./ufraw-llvm/ufraw-batch -q
Reading symbols from ./ufraw-llvm/ufraw-batch...done.
(gdb) run --overwrite poc-null
Starting program:
/home/jason/report/source-latest/ufraw/ufraw-llvm/ufraw-batch --overwrite
poc-null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) where
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x0041eee9 in ufraw_batch_messenger (message=0x0) at
ufraw_message.c:126
#2  0x0041f0b3 in ufraw_message (code=1, format=) at
ufraw_message.c:190
#3  0x00409f93 in ufraw_load_raw (uf=0x80ec60) at ufraw_ufraw.c:668
#4  0x004090d4 in main (argc=, argv=)
at ufraw-batch.c:85
(gdb) x/i $rip
=> 0x75683676 :  movdqu (%rax),%xmm4
(gdb) info reg rax
rax0x0  0


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0   1.0.6-8.1
ii  libc62.24-11+deb9u3
ii  libexiv2-14  0.25-3.1
ii  libgcc1  1:6.3.0-18+deb9u1
ii  libglib2.0-0 2.50.3-2
ii  libgomp1 6.3.0-18+deb9u1
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4
ii  liblensfun1  0.3.2-3
ii  libpng16-16  1.6.28-1
ii  libstdc++6   6.3.0-18+deb9u1
ii  libtiff5 4.0.8-2+deb9u2
ii  zlib1g   1:1.2.8.dfsg-5

ufraw-batch recommends no packages.

Versions of packages ufraw-batch suggests:
pn  ufraw  

-- no debconf information


poc_null
Description: Binary data

Bug#907464: x264: NULL dereference crash

2018-08-28 Thread Jaeseung Choi

Package: x264
Version: 2:0.148.2748+git97eaef2-1
Severity: normal

Dear Maintainer,

Running x264 with the attached poc file raises a NULL dereference crash.

Following gdb log shows the program resulting in segfault.

jason@debian-amd64-stretch:~/report/debian-latest/x264$ gdb x264 -q
Reading symbols from x264...(no debugging symbols found)...done.
(gdb) run -o output.264 poc_null
Starting program: /usr/bin/x264 -o output.264 poc_null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x76abad0b in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
(gdb) x/i $rip
=> 0x76abad0b:  mov(%rdx,%rax,8),%rdx
(gdb) info reg rax rdx
rax0x0  0
rdx0x0  0
(gdb) where
#0  0x76abad0b in ?? () from
/usr/lib/x86_64-linux-gnu/libavformat.so.57
#1  0x76b3e2fd in ?? () from
/usr/lib/x86_64-linux-gnu/libavformat.so.57
#2  0x76b3f020 in ?? () from
/usr/lib/x86_64-linux-gnu/libavformat.so.57
#3  0x76b40101 in av_read_frame () from
/usr/lib/x86_64-linux-gnu/libavformat.so.57
#4  0x76dfe74f in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#5  0x76df8a19 in FFMS_DoIndexing2 () from
/usr/lib/x86_64-linux-gnu/libffms2.so.4
#6  0x5556b58c in ?? ()
#7  0xc93d in ?? ()
#8  0x7462d2e1 in __libc_start_main (main=0xa030, argc=4,
argv=0x7fffe618, init=, fini=,
rtld_fini=, stack_end=0x7fffe608)
at ../csu/libc-start.c:291
#9  0xcb3a in ?? ()

-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages x264 depends on:
ii  libavcodec57   7:3.2.10-1~deb9u1
ii  libavformat57  7:3.2.10-1~deb9u1
ii  libavutil557:3.2.10-1~deb9u1
ii  libc6  2.24-11+deb9u3
ii  libffms2-4 2.23-1
ii  libgpac4   0.5.2-426-gc5ad4e4+dfsg5-3+b1
ii  libswscale47:3.2.10-1~deb9u1
ii  libx264-1482:0.148.2748+git97eaef2-1
ii  zlib1g 1:1.2.8.dfsg-5

x264 recommends no packages.

x264 suggests no packages.

-- no debconf information


poc_null
Description: Binary data

Bug#906743: fig2dev: Invalid memory read crash while running with '-L pdf' option

2018-08-20 Thread Jaeseung Choi

Package: fig2dev
Version: 1:3.2.6a-2+deb9u1
Severity: normal

Dear Maintainer,

Running the attached test input with fig2dev with '-L pdf' option raises a
segmentation fault error, while attempting to read an invalid memory
address. Judging from the stack trace, this bug seems similar to previous
bug #890016, but this test input also crashes the latest upstream version
(3.2.7a) of fig2dev, where #890016 is supposed to be fixed. The bug fix
could have been incomplete, or this may be a distinct bug.

Below is the gdb log. I used latest upstream version 3.2.7a here, but I
confirmed that current stable version 3.2.6a is also affected.

jason@debian-amd64-stretch:~/report/source-latest/fig2dev$ gdb
./fig2dev-3.2.7a-llvm/fig2dev/fig2dev -q
Reading symbols from ./fig2dev-3.2.7a-llvm/fig2dev/fig2dev...done.
(gdb) run -L pdf  poc-invalid
Starting program:
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-llvm/fig2dev/fig2dev
-L pdf  poc-invalid
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
incomplete line object

Program received signal SIGSEGV, Segmentation fault.
free_linestorage (l=) at free.c:152
152 free.c: No such file or directory.
(gdb) x/i $rip
=> 0x4095c6 :  mov0x8(%rax),%rdi
(gdb) info reg rax
rax0x   3689348814741910323
(gdb) where
#0  free_linestorage (l=) at free.c:152
#1  0x00409bb0 in read_lineobject (fp=) at
read1_3.c:378
#2  0x00409927 in read_1_3_objects (fp=,
obj=) at read1_3.c:100
#3  0x0040ab95 in readfp_fig (fp=0x6a3f20, obj=0x7fffe3d0) at
read.c:174
#4  0x00408bac in main (argc=, argv=)
at fig2dev.c:424

For your information, running with Address Sanitizer failed to provide any
further useful information.

Thank you.


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-11+deb9u3
ii  libpng16-16  1.6.28-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information


poc-invalid
Description: Binary data

Bug#906740: fig2dev: global buffer overflow while running with '-L pdf' option

2018-08-20 Thread Jaeseung Choi

Package: fig2dev
Version: 1:3.2.6a-2+deb9u1
Severity: normal

Dear Maintainer,

Running the attached test input with fig2dev with '-L pdf' option raises a
global buffer overflow error. Judging from the stack trace, this bug seems
similar to previous bug #890015, but this test input also crashes the
latest upstream version (3.2.7a) of fig2dev, where #890015 is supposed to
be fixed. The bug fix could have been incomplete, or this may be a distinct
bug.

Below is the gdb log. I used latest upstream version 3.2.7a here, but I
confirmed that current stable version 3.2.6a is also affected.

jason@debian-amd64-stretch:~/report/source-latest/fig2dev$ gdb -q
./fig2dev-3.2.7a/fig2dev/fig2dev
Reading symbols from ./fig2dev-3.2.7a/fig2dev/fig2dev...done.
(gdb) run -L pdf ./poc-bof
Starting program:
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a/fig2dev/fig2dev -L
pdf ./poc-bof
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966
2966malloc.c: No such file or directory.
(gdb) where
#0  __GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966
#1  0x0040b156 in save_comment () at read.c:1487
#2  get_line (fp=) at read.c:1465
#3  0x0040ac08 in read_objects (fp=0x6a3f20, obj=)
at read.c:320
#4  readfp_fig (fp=0x6a3f20, obj=0x7fffe3c0) at read.c:172
#5  0x00408bac in main (argc=, argv=)
at fig2dev.c:424
(gdb) x/i $rip
=> 0x7736c524 <__GI___libc_free+20>:mov-0x8(%rdi),%rax
(gdb) info reg rdi
rdi0x2323232323000a23   2531906049330383395

And running with Address Sanitizer gives the following result.

jason@debian-amd64-stretch:~/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize$
./fig2dev/fig2dev -L pdf ../poc-bof
=
==31296==ERROR: AddressSanitizer: global-buffer-overflow on address
0x015f1ba0 at pc 0x0051dffb bp 0x7fffdde0 sp 0x7fffddd8
READ of size 8 at 0x015f1ba0 thread T0
#0 0x51dffa in save_comment
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9
#1 0x5112f3 in get_line
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1465:8
#2 0x510123 in read_objects
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:320:6
#3 0x50eda6 in readfp_fig
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:172:12
#4 0x50ebc2 in read_fig
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:142:13
#5 0x504baa in main
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev.c:424:12
#6 0x76ad12e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#7 0x41c629 in _start
(/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev+0x41c629)

0x015f1ba0 is located 0 bytes to the right of global variable
'comments' defined in 'read.c:83:14' (0x15f1880) of size 800
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9
in save_comment
Shadow bytes around the buggy address:
  0x802b6320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x802b6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x802b6340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x802b6350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x802b6360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x802b6370: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x802b6380: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x802b6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x802b63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x802b63b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x802b63c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Thank you.


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-11+deb9u3
ii  libpng16-16  1.6.28-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information


poc-bof
Description: Binary data

Bug#906559: ufraw-batch: integer overflow in dcraw_load_raw()

2018-08-18 Thread Jaeseung Choi

Package: ufraw-batch
Version: 0.22-1.1
Severity: normal

Dear Maintainer,

An integer overflow bug that leads to heap buffer overflow exists in
ufraw-batch.

According to our analysis, the bug exists within dcraw_load_raw() function
(dcraw_api.cc:Line #236). If 'd->raw_height' and 'd->raw_width' are set to
certain values that make the result of multiplication greater than INT_MAX,
the memory allocation size is overflowed and wrapped around to a small
value. This results in a buffer overflow in the latter part of of the
execution. Memory allocation in Line #238 may be also vulnerable, but it
had not been tested yet.

234 if (d->filters || d->colors == 1) {
235 if (d->colors == 1 || d->filters == 1 || d->filters > 1000)
236 d->raw_image = (ushort *) g_malloc((d->raw_height + 7)
* d->raw_width * 2);
237 else
238 d->raw_image = (ushort *)
g_malloc(sizeof(dcraw_image_type) * (d->raw_height + 7) * d->raw_width);

Segfault and ASan error report could be observed with the attached test
input as follow. However,  unfortunately the test input do not seem to
reliably reproduce the bug.
I doubt that maybe the values of 'd->raw_height' and 'd->raw_width' could
have been read in from uninitialized memory addresses, not from the content
of test input.

jason@debian-amd64-stretch:~/report/debian-latest/ufraw-batch$ gdb -q
ufraw-batch
Reading symbols from ufraw-batch...(no debugging symbols found)...done.
(gdb) run --overwrite poc7
Starting program: /usr/bin/ufraw-batch --overwrite poc7
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x55625bc1 in ?? ()
(gdb) x/i $rip
=> 0x55625bc1:  mov%ax,(%rdx)
(gdb) info reg rdx
rdx0x74901000   140737296470016

jason@debian-amd64-stretch:~/report/source-latest/ufraw/ufraw-0.22$
./ufraw-batch --overwrite ../poc7
=
==15668==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x725d37f4 at pc 0x006042a6 bp 0x7ffdc3e0 sp 0x7ffdc3d8
READ of size 2 at 0x725d37f4 thread T0
#0 0x6042a5 in DCRaw::unpacked_load_raw()
/home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw.cc:1972:25
#1 0x592abc in dcraw_load_raw
/home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw_api.cc:249:9
#2 0x4f9b75 in ufraw_load_raw
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw_ufraw.c:666:19
#3 0x4f59bf in main
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch.c:85:13
#4 0x752172e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#5 0x422a79 in _start
(/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch+0x422a79)

0x725d37f4 is located 0 bytes to the right of 655348-byte region
[0x72533800,0x725d37f4)
allocated by thread T0 here:
#0 0x4c1038 in __interceptor_malloc
(/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch+0x4c1038)
#1 0x77463e08 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4fe08)
#2 0x4f9b75 in ufraw_load_raw
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw_ufraw.c:666:19
#3 0x4f59bf in main
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch.c:85:13
#4 0x752172e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw.cc:1972:25 in
DCRaw::unpacked_load_raw()
Shadow bytes around the buggy address:
  0x10007e4b26a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007e4b26f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa
  0x10007e4b2700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0   1.0.6-8.1
ii  libc62.24-11+deb9u3
ii  libexiv2-14  0.25-3.1
ii  libgcc1  1:6.3.0-18+deb9u1
ii  libglib2.0-0 2.50.3-2
ii  libgomp1 6.3.0-18+deb9u1
ii

Bug#906532: x264: heap buffer overflow

2018-08-17 Thread Jaeseung Choi

Package: x264
Version: 2:0.148.2748+git97eaef2-1
Severity: normal

Dear Maintainer,

Running x264 with the attached poc file raises a heap buffer overflow.

Following gdb log shows the program resulting in segfault.

jason@debian-amd64-stretch:~/report/debian-latest/x264$ gdb x264 -q
Reading symbols from x264...(no debugging symbols found)...done.
(gdb) run --crf 24 -o output.264 ./poc_ovf
Starting program: /usr/bin/x264 --crf 24 -o output.264 ./poc_ovf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffms [info]: 352x288p 12:11 @ 25/8839 fps (vfr)
x264 [info]: using SAR=12/11
x264 [info]: using cpu capabilities: MMX2 SSE2Fast SSSE3 SSE4.2 AVX FMA3
AVX2 LZCNT BMI2
x264 [info]: profile High, level 1.3

Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:364
364 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such
file or directory.
(gdb) x/i $rip
=> 0x74735f50 <__memmove_avx_unaligned_erms+368>:   vmovdqu
-0x20(%rsi,%rdx,1),%ymm5
(gdb) info reg rsi rdx
rsi0x55d21ee0   93825000414944
rdx0x160352
(gdb) bt 10
#0  __memmove_avx_unaligned_erms () at
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:364
#1  0x555665b6 in ?? ()
#2  0x555666df in ?? ()
#3  0x5556840b in ?? ()
#4  0xb5b9 in ?? ()
#5  0x7462d2e1 in __libc_start_main (main=0xa030, argc=6,
argv=0x7fffe5f8, init=, fini=,
rtld_fini=,
stack_end=0x7fffe5e8) at ../csu/libc-start.c:291
#6  0xcb3a in ?? ()

When we compiled the source with AddressSanitizer, the program reports a
heap-buffer-overflow error in  x264_cli_plane_copy() function as follow.

jason@debian-amd64-stretch:~/report/source-latest/x264$ ./x264-0.148/x264
--crf 24 -o output.264 poc_ovf
ffms [info]: 352x288p 12:11 @ 25/8839 fps (vfr)
x264 [info]: using SAR=12/11
x264 [info]: using cpu capabilities: none!
x264 [info]: profile High, level 1.3
=
==6186==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62c07a2f at pc 0x004aac55 bp 0x7fffcf90 sp 0x7fffc740
READ of size 352 at 0x62c07a2f thread T0
#0 0x4aac54 in __asan_memcpy
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x4aac54)
#1 0x5174f9 in x264_cli_plane_copy
/home/jason/report/source-latest/x264/x264-0.148/filters/video/internal.c:33:9
#2 0x5174f9 in x264_cli_pic_copy
/home/jason/report/source-latest/x264/x264-0.148/filters/video/internal.c:55
#3 0x51cc46 in get_frame
/home/jason/report/source-latest/x264/x264-0.148/filters/video/fix_vfr_pts.c:100:13
#4 0x4f667d in encode
/home/jason/report/source-latest/x264/x264-0.148/x264.c:1921:13
#5 0x4f667d in main
/home/jason/report/source-latest/x264/x264-0.148/x264.c:382
#6 0x745b02e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#7 0x422969 in _start
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x422969)

0x62c07a2f is located 0 bytes to the right of 30767-byte region
[0x62c00200,0x62c07a2f)
allocated by thread T0 here:
#0 0x4c18d0 in __interceptor_posix_memalign
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x4c18d0)
#1 0x7552b93f in av_malloc
(/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x2b93f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/jason/report/source-latest/x264/x264-0.148/x264+0x4aac54) in
__asan_memcpy
Shadow bytes around the buggy address:
  0x0c587fff8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c587fff8f40: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa



-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages x264 depends on:
ii  libavcodec57   7:3.2.10-1~deb9u1
ii  libavformat57  7:3.2.10-1~deb9u1
ii  libavutil557:3.2.10-1~deb9u1
ii  libc6  2.24-11+deb9u3
ii  libffms2-4 2.23-1
ii  libgpac4

Bug#906530: dcraw: NULL dereference bug

2018-08-17 Thread Jaeseung Choi

Package: dcraw
Version: 9.27-1+b1
Severity: normal

Dear Maintainer,

Running dcraw with the attached poc file raises a NULL dereference bug.

Following gdb log shows the program resulting in segfault.

jason@debian-amd64-stretch:~/report/debian-latest/dcraw$ gdb dcraw -q
Reading symbols from dcraw...(no debugging symbols found)...done.
(gdb) run poc_null
Starting program: /usr/bin/dcraw poc_null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
poc_null: Unexpected end of file

Program received signal SIGSEGV, Segmentation fault.
0xd01c in ?? ()
(gdb) x/i $rip
=> 0xd01c:  mov%r10w,(%r9,%rax,2)
(gdb) info reg r9 rax
r9 0x0  0
rax0x0  0
(gdb) bt 5
#0  0xd01c in ?? ()
#1  0xb1bc in ?? ()
#2  0x7728f2e1 in __libc_start_main (main=0x9940, argc=2,
argv=0x7fffe638, init=, fini=,
rtld_fini=,
stack_end=0x7fffe628) at ../csu/libc-start.c:291
#3  0xb4da in ?? ()

When we compiled the source with AddressSanitizer, it reports NULL
dereference bug in nokia_load_raw() function as follow.

jason@debian-amd64-stretch:~/report/source-latest/dcraw$ ./dcraw-9.27/dcraw
poc_null
poc_null: Unexpected end of file
ASAN:DEADLYSIGNAL
=
==5981==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc
0x0051301a bp 0x7fffdc70 sp 0x7fffda40 T0)
#0 0x513019 in nokia_load_raw
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:1972:28
#1 0x5bcf96 in main
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:10150:10
#2 0x76a4f2e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#3 0x41c049 in _start
(/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw+0x41c049)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:1972:28 in
nokia_load_raw
==5981==ABORTING


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dcraw depends on:
ii  libc62.24-11+deb9u3
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  
ii  netpbm   2:10.0-15.3+b2

-- no debconf information


poc_null
Description: Binary data

Bug#906529: dcraw: stack-based buffer overflow bug

2018-08-17 Thread Jaeseung Choi

Package: dcraw
Version: 9.27-1+b1
Severity: normal

A stack-based buffer overflow bug exists in dcraw.

Running the attached poc file raises a stack-based buffer overflow error,
which may allow a control flow hijack attack.

Following gdb log shows the program resulting in segfault.

jason@debian-amd64-stretch:~/report/debian-latest/dcraw$ gdb dcraw -q
Reading symbols from dcraw...(no debugging symbols found)...done.
(gdb) run poc_ovf
Starting program: /usr/bin/dcraw poc_ovf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:137
137 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt 10
#0  strlen () at ../sysdeps/x86_64/strlen.S:137
#1  0x772dfa84 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x773d3305 "*** %s ***: %s terminated\n") at
../sysdeps/posix/libc_fatal.c:109
#2  0x773681f7 in __GI___fortify_fail (msg=msg@entry=0x773d32ed
"stack smashing detected") at fortify_fail.c:30
#3  0x773681c0 in __stack_chk_fail () at stack_chk_fail.c:28
#4  0x5557ea4e in ?? ()
#5  0x in ?? ()
#6  0x in ?? ()
#7  0x in ?? ()
#8  0x in ?? ()
#9  0x in ?? ()
(More stack frames follow...)

Address sanitizer reports stack-buffer-overflow error in find_green()
function as follow.

jason@debian-amd64-stretch:~/report/source-latest/dcraw$ ./dcraw-9.27/dcraw
poc_ovf
=
==5868==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffc720 at pc 0x00595ece bp 0x7fffa6b0 sp 0x7fffa6a8
WRITE of size 2 at 0x7fffc720 thread T0
#0 0x595ecd in find_green
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8147:19
#1 0x59e77b in identify
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8716:5
#2 0x5b94f9 in main
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:10007:15
#3 0x76a4f2e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#4 0x41c049 in _start
(/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw+0x41c049)

Address 0x7fffc720 is located in stack of thread T0 at offset 8288 in
frame
#0 0x595a6f in find_green
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8133

  This frame has 2 object(s):
[32, 8288) 'img' <== Memory access at offset 8288 overflows this
variable
[8544, 8560) 'sum'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
  (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8147:19 in
find_green
Shadow bytes around the buggy address:
  0x10007fff7890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff78a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff78b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff78c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff78d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff78e0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff78f0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff7900: f2 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):

-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dcraw depends on:
ii  libc62.24-11+deb9u3
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  
ii  netpbm   2:10.0-15.3+b2

-- no debconf information


poc_ovf
Description: Binary data

Bug#889272: : CVE-2018-6612

2018-02-18 Thread Jaeseung Choi

 For your information, this bug was assigned  CVE-2018-6612.

Thank you for the fix.

Bug#878739: : CVE-2017-18120

2018-02-18 Thread Jaeseung Choi

For your information, this bug was assigned  CVE-2017-18120.

Thank you for the fix.

Bug#914454: Stacktrace of invalid memory write crash in canon_rmf_load_raw()

Bug#914453: Stacktrace of stack-buffer-overflow in quicktake_100_load_raw()

Bug#914447: Stacktrace of invalid memory write crash in kodak_radc_load_raw()

Bug#914459: dcraw-9.27-1 : dcparse : stack overflow due to infinite recursion in parse_mos()

Bug#914454: dcraw-9.27-1 : invalid memory write crash in canon_rmf_load_raw()

Bug#914453: dcraw-9.27-1 : stack-buffer-overflow in quicktake_100_load_raw()

Bug#914447: dcraw-9.27-1 : invalid memory write crash in kodak_radc_load_raw()

Bug#907467: ufraw-batch: NULL dereference in ufraw_batch_messenger

Bug#907464: x264: NULL dereference crash

Bug#906743: fig2dev: Invalid memory read crash while running with '-L pdf' option

Bug#906740: fig2dev: global buffer overflow while running with '-L pdf' option

Bug#906559: ufraw-batch: integer overflow in dcraw_load_raw()

Bug#906532: x264: heap buffer overflow

Bug#906530: dcraw: NULL dereference bug

Bug#906529: dcraw: stack-based buffer overflow bug

Bug#889272: : CVE-2018-6612

Bug#878739: : CVE-2017-18120

17 matches

Site Navigation

Mail list logo

Footer information