Bug#914454: Stacktrace of invalid memory write crash in canon_rmf_load_raw()
Thank you for the information and sorry for the delay. With your instruction, I could get the following stacktrace. - Program terminated with signal SIGSEGV, Segmentation fault. #0 0xf4bc in canon_rmf_load_raw () at dcraw.c:1999 1999dcraw.c: No such file or directory. (gdb) where #0 0xf4bc in canon_rmf_load_raw () at dcraw.c:1999 #1 0xb1bc in main (argc=2, argv=0x7fffe568) at dcraw.c:10150 (gdb) x/i $rip => 0xf4bc : mov%si,(%r8,%rdx,2) - Sincerely, Jason Choi.
Bug#914453: Stacktrace of stack-buffer-overflow in quicktake_100_load_raw()
Thank you for the information and sorry for the delay. With your instruction, I could get the following stacktrace. - Program terminated with signal SIGSEGV, Segmentation fault. #0 0xdd08 in quicktake_100_load_raw () at dcraw.c:2145 2145dcraw.c: No such file or directory. (gdb) where #0 0xdd08 in quicktake_100_load_raw () at dcraw.c:2145 #1 0x in ?? () (gdb) x/i $rip => 0xdd08 : mov%al,(%r15) - Sincerely, Jason Choi.
Bug#914447: Stacktrace of invalid memory write crash in kodak_radc_load_raw()
Thank you for the information and sorry for the delay. With your instruction, I could get the following stacktrace. - Program terminated with signal SIGBUS, Bus error. #0 kodak_radc_load_raw () at dcraw.c:2240 2240dcraw.c: No such file or directory. (gdb) where #0 kodak_radc_load_raw () at dcraw.c:2240 #1 0xb1bc in main (argc=2, argv=0x7fffe568) at dcraw.c:10150 (gdb) x/i $rip => 0xe677 : mov %di,0x6f8(%rsp,%rdx,2) - Sincerely, Jason Choi.
Bug#914459: dcraw-9.27-1 : dcparse : stack overflow due to infinite recursion in parse_mos()
Package: dcraw Version: 9.27-1+b1 Severity: normal Dear Maintainer, Running 'dcparse' program of 'dcraw-9.27' package with the attached input file raises a crash caused by stack-overflow in parse_mos(). First, below is the GDB log that shows crash from dcparse binary downloaded with 'apt-get'. jason@debian-amd64-stretch:~/dcparse-crashes$ ulimit -c unlimited jason@debian-amd64-stretch:~/dcparse-crashes$ dcparse ./crash-0_00025607 > /dev/null Segmentation fault (core dumped) jason@debian-amd64-stretch:~/dcparse-crashes$ gdb -q dcparse core Reading symbols from dcparse...(no debugging symbols found)...done. [New LWP 1372] Core was generated by `dcparse ./crash-0_00025607'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x7753389b in __GI__IO_padn (fp=fp@entry=0x77865600 <_IO_2_1_stdout_>, pad=pad@entry=32, count=count@entry=47362) at iopadn.c:56 56 iopadn.c: No such file or directory. (gdb) where #0 0x7753389b in __GI__IO_padn (fp=fp@entry=0x77865600 <_IO_2_1_stdout_>, pad=pad@entry=32, count=count@entry=47362) at iopadn.c:56 #1 0x77512e3b in _IO_vfprintf_internal (s=0x77865600 <_IO_2_1_stdout_>, format=, ap=ap@entry=0x7f80af08) at vfprintf.c:1637 #2 0x775c1c0f in ___printf_chk (flag=1, format=) at printf_chk.c:35 #3 0x62f6 in ?? () #4 0x64a6 in ?? () #5 0x64a6 in ?? () #6 0x64a6 in ?? () - Since the downloaded binary did not have any symbol information, we downloaded its code and compiled it with AddressSanitizer. AddressSanitizer reported a stack overflow in parse_mos(), as below. - = ==16203==ERROR: AddressSanitizer: stack-overflow on address 0x7f7feff8 (pc 0x76ce4bfa bp 0x6211cd00 sp 0x7f7ff000 T0) #0 0x76ce4bf9 in _IO_file_write /build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:1263 #1 0x76ce6408 in new_do_write /build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:518 #2 0x76ce6408 in _IO_do_write /build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:494 #3 0x76ce547c in _IO_file_xsputn /build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:1331 #4 0x76cdafbd in _IO_padn /build/glibc-Cl5G7W/glibc-2.23/libio/iopadn.c:56 #5 0x76cbab1b in _IO_vfprintf /build/glibc-Cl5G7W/glibc-2.23/stdio-common/vfprintf.c:1632 #6 0x460f07 in __interceptor_vprintf (/home/jason/Chatkey/replay_box/dcparse+0x460f07) #7 0x460fd7 in printf (/home/jason/Chatkey/replay_box/dcparse+0x460fd7) #8 0x4ef0be in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:670:5 #9 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #10 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #11 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #12 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #13 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #14 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #15 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #16 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #17 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #18 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #19 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 #20 0x4ef377 in parse_mos /home/jason/packages-sanitize/dcraw-9.27/parse.c:690:5 ... ... ... SUMMARY: AddressSanitizer: stack-overflow /build/glibc-Cl5G7W/glibc-2.23/libio/fileops.c:1263 in _IO_file_write ==16203==ABORTING - -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dcraw depends on: ii libc62.24-11+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 dcraw recommends no packages. Versions of packages dcraw suggests: pn gphoto2 ii netpbm 2:10.0-15.3+b2 -- debconf information excluded crash-0_00025607 Description: Binary data
Bug#914454: dcraw-9.27-1 : invalid memory write crash in canon_rmf_load_raw()
Package: dcraw Version: 9.27-1+b1 Severity: normal Dear Maintainer, Running dcraw-9.27 the attached input file raises a crash caused by invalid memory write in canon_rmf_load_raw(). First, below is the GDB log that shows crash from dcraw-9.27 binary downloaded with 'apt-get'. jason@debian-amd64-stretch:~/dcraw-crashes$ gdb -q dcraw Reading symbols from dcraw...(no debugging symbols found)...done. (gdb) run crash-30_00070116 Starting program: /usr/bin/dcraw crash-30_00070116 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0xf4bc in ?? () (gdb) x/i $rip => 0xf4bc: mov%si,(%r8,%rdx,2) (gdb) info reg r8 rdx rsi r8 0x7ffe7d583010 140731001352208 rdx0xbccf917a -1127247494 rsi0x 65535 - Since the downloaded binary did not have any symbol information, we downloaded its code and compiled it with AddressSanitizer. While AddressSanitizer failed to identify the root cause of the bug, it reported an invalid memory access error in canon_rmf_load_raw(), as below. - ASAN:DEADLYSIGNAL = ==5095==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffdf45e5af4 (pc 0x00513322 bp 0x7fffda90 sp 0x7fffda20 T0) #0 0x513321 in canon_rmf_load_raw /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:1999:17 #1 0x5bc6e6 in main /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:10150:10 #2 0x76a3582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #3 0x4196c8 in _start (/home/jason/Chatkey/replay_box/dcraw+0x4196c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:1999:17 in canon_rmf_load_raw ==5095==ABORTING - -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dcraw depends on: ii libc62.24-11+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 dcraw recommends no packages. Versions of packages dcraw suggests: pn gphoto2 ii netpbm 2:10.0-15.3+b2 -- debconf information excluded crash-30_00070116 Description: Binary data
Bug#914453: dcraw-9.27-1 : stack-buffer-overflow in quicktake_100_load_raw()
Package: dcraw Version: 9.27-1+b1 Severity: normal Dear Maintainer, Running dcraw-9.27 with the attached input file raises a crash caused by stack-buffer-overflow in quicktake_100_load_raw(). First, below is the GDB log that shows a crash from dcraw-9.27 binary downloaded with 'apt-get'. jason@debian-amd64-stretch:~/dcraw-crashes$ gdb -q dcraw Reading symbols from dcraw...(no debugging symbols found)...done. (gdb) run crash-2_0011 Starting program: /usr/bin/dcraw crash-2_0011 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". crash-2_0011: Unexpected end of file Program received signal SIGSEGV, Segmentation fault. 0xdd08 in ?? () (gdb) x/i $rip => 0xdd08: mov%al,(%r15) (gdb) info reg r15 r150x7000 140737488351232 - Since the downloaded binary did not have any symbol information, we downloaded its source code and compiled it with AddressSanitizer. AddressSanitizer reported a stack-based buffer overflow in quicktake_100_load_raw(), as below. - = ==5011==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd931 at pc 0x00516332 bp 0x7ffb1410 sp 0x7ffb1408 WRITE of size 1 at 0x7fffd931 thread T0 #0 0x516331 in quicktake_100_load_raw /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2145:23 #1 0x5bc6e6 in main /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:10150:10 #2 0x76a3582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #3 0x4196c8 in _start (/home/jason/Chatkey/replay_box/dcraw+0x4196c8) Address 0x7fffd931 is located in stack of thread T0 at offset 311729 in frame #0 0x515d9f in quicktake_100_load_raw /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2116 This frame has 1 object(s): [32, 311728) 'pixel' <== Memory access at offset 311729 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2145:23 in quicktake_100_load_raw Shadow bytes around the buggy address: 0x10007fff7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff7b20: 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 0x10007fff7b30: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0x10007fff7b40: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x10007fff7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==5011==ABORTING - -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dcraw depends on: ii libc62.24-11+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 dcraw recommends no packages. Versions of packages dcraw suggests: pn gphoto2 ii netpbm 2:10.0-15.3+b2 -- debconf information excluded crash-2_0011 Description: Binary data
Bug#914447: dcraw-9.27-1 : invalid memory write crash in kodak_radc_load_raw()
Package: dcraw Version: 9.27-1+b1 Severity: normal Dear Maintainer, Running dcraw-9.27 the attached input file raises a crash caused by invalid memory write in kodak_radc_load_raw(). First, below is the GDB log that shows crash from dcraw-9.27 binary downloaded with 'apt-get'. jason@debian-amd64-stretch:~/dcraw-crashes$ gdb -q dcraw Reading symbols from dcraw...(no debugging symbols found)...done. (gdb) run ./crash-1_0009 Starting program: /usr/bin/dcraw ./crash-1_0009 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". ./crash-1_0009: Unexpected end of file Program received signal SIGBUS, Bus error. 0xe677 in ?? () (gdb) x/i $rip => 0xe677: mov%di,0x6f8(%rsp,%rdx,2) (gdb) info reg rsp rdx rsp0x7fffa120 0x7fffa120 rdx0x7fff 32767 - Since the downloaded binary did not have any symbol information, we downloaded its code and compiled it with AddressSanitizer. While AddressSanitizer failed to identify the root cause of the bug, it reported an invalid memory access error in kodak_radc_load_raw(), as below. - ==4934==ERROR: AddressSanitizer: SEGV on unknown address 0x10007fff97ec (pc 0x0051920b bp 0x7fffda90 sp 0x7fff9200 T0) #0 0x51920a in kodak_radc_load_raw /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2240:42 #1 0x5bc6e6 in main /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:10150:10 #2 0x76a3582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #3 0x4196c8 in _start (/home/jason/Chatkey/replay_box/dcraw+0x4196c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/jason/packages-sanitize/dcraw-9.27/dcraw.c:2240:42 in kodak_radc_load_raw ==4934==ABORTING - -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dcraw depends on: ii libc62.24-11+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 dcraw recommends no packages. Versions of packages dcraw suggests: pn gphoto2 ii netpbm 2:10.0-15.3+b2 -- debconf information excluded crash-1_0009 Description: Binary data
Bug#907467: ufraw-batch: NULL dereference in ufraw_batch_messenger
Package: ufraw-batch Version: 0.22-1.1 Severity: normal Dear Maintainer, Running ufraw-batch with the attached poc file raises a NULL dereference crash in ufraw_batch_messenger() function. Following gdb log shows the program crashing with segfault. jason@debian-amd64-stretch:~/report/source-latest/ufraw$ gdb ./ufraw-llvm/ufraw-batch -q Reading symbols from ./ufraw-llvm/ufraw-batch...done. (gdb) run --overwrite poc-null Starting program: /home/jason/report/source-latest/ufraw/ufraw-llvm/ufraw-batch --overwrite poc-null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) where #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x0041eee9 in ufraw_batch_messenger (message=0x0) at ufraw_message.c:126 #2 0x0041f0b3 in ufraw_message (code=1, format=) at ufraw_message.c:190 #3 0x00409f93 in ufraw_load_raw (uf=0x80ec60) at ufraw_ufraw.c:668 #4 0x004090d4 in main (argc=, argv=) at ufraw-batch.c:85 (gdb) x/i $rip => 0x75683676 : movdqu (%rax),%xmm4 (gdb) info reg rax rax0x0 0 -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufraw-batch depends on: ii libbz2-1.0 1.0.6-8.1 ii libc62.24-11+deb9u3 ii libexiv2-14 0.25-3.1 ii libgcc1 1:6.3.0-18+deb9u1 ii libglib2.0-0 2.50.3-2 ii libgomp1 6.3.0-18+deb9u1 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 ii liblensfun1 0.3.2-3 ii libpng16-16 1.6.28-1 ii libstdc++6 6.3.0-18+deb9u1 ii libtiff5 4.0.8-2+deb9u2 ii zlib1g 1:1.2.8.dfsg-5 ufraw-batch recommends no packages. Versions of packages ufraw-batch suggests: pn ufraw -- no debconf information poc_null Description: Binary data
Bug#907464: x264: NULL dereference crash
Package: x264 Version: 2:0.148.2748+git97eaef2-1 Severity: normal Dear Maintainer, Running x264 with the attached poc file raises a NULL dereference crash. Following gdb log shows the program resulting in segfault. jason@debian-amd64-stretch:~/report/debian-latest/x264$ gdb x264 -q Reading symbols from x264...(no debugging symbols found)...done. (gdb) run -o output.264 poc_null Starting program: /usr/bin/x264 -o output.264 poc_null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x76abad0b in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 (gdb) x/i $rip => 0x76abad0b: mov(%rdx,%rax,8),%rdx (gdb) info reg rax rdx rax0x0 0 rdx0x0 0 (gdb) where #0 0x76abad0b in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #1 0x76b3e2fd in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #2 0x76b3f020 in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #3 0x76b40101 in av_read_frame () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #4 0x76dfe74f in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4 #5 0x76df8a19 in FFMS_DoIndexing2 () from /usr/lib/x86_64-linux-gnu/libffms2.so.4 #6 0x5556b58c in ?? () #7 0xc93d in ?? () #8 0x7462d2e1 in __libc_start_main (main=0xa030, argc=4, argv=0x7fffe618, init=, fini=, rtld_fini=, stack_end=0x7fffe608) at ../csu/libc-start.c:291 #9 0xcb3a in ?? () -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages x264 depends on: ii libavcodec57 7:3.2.10-1~deb9u1 ii libavformat57 7:3.2.10-1~deb9u1 ii libavutil557:3.2.10-1~deb9u1 ii libc6 2.24-11+deb9u3 ii libffms2-4 2.23-1 ii libgpac4 0.5.2-426-gc5ad4e4+dfsg5-3+b1 ii libswscale47:3.2.10-1~deb9u1 ii libx264-1482:0.148.2748+git97eaef2-1 ii zlib1g 1:1.2.8.dfsg-5 x264 recommends no packages. x264 suggests no packages. -- no debconf information poc_null Description: Binary data
Bug#906743: fig2dev: Invalid memory read crash while running with '-L pdf' option
Package: fig2dev Version: 1:3.2.6a-2+deb9u1 Severity: normal Dear Maintainer, Running the attached test input with fig2dev with '-L pdf' option raises a segmentation fault error, while attempting to read an invalid memory address. Judging from the stack trace, this bug seems similar to previous bug #890016, but this test input also crashes the latest upstream version (3.2.7a) of fig2dev, where #890016 is supposed to be fixed. The bug fix could have been incomplete, or this may be a distinct bug. Below is the gdb log. I used latest upstream version 3.2.7a here, but I confirmed that current stable version 3.2.6a is also affected. jason@debian-amd64-stretch:~/report/source-latest/fig2dev$ gdb ./fig2dev-3.2.7a-llvm/fig2dev/fig2dev -q Reading symbols from ./fig2dev-3.2.7a-llvm/fig2dev/fig2dev...done. (gdb) run -L pdf poc-invalid Starting program: /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-llvm/fig2dev/fig2dev -L pdf poc-invalid [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". incomplete line object Program received signal SIGSEGV, Segmentation fault. free_linestorage (l=) at free.c:152 152 free.c: No such file or directory. (gdb) x/i $rip => 0x4095c6 : mov0x8(%rax),%rdi (gdb) info reg rax rax0x 3689348814741910323 (gdb) where #0 free_linestorage (l=) at free.c:152 #1 0x00409bb0 in read_lineobject (fp=) at read1_3.c:378 #2 0x00409927 in read_1_3_objects (fp=, obj=) at read1_3.c:100 #3 0x0040ab95 in readfp_fig (fp=0x6a3f20, obj=0x7fffe3d0) at read.c:174 #4 0x00408bac in main (argc=, argv=) at fig2dev.c:424 For your information, running with Address Sanitizer failed to provide any further useful information. Thank you. -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fig2dev depends on: ii gawk 1:4.1.4+dfsg-1 ii libc62.24-11+deb9u3 ii libpng16-16 1.6.28-1 ii libxpm4 1:3.5.12-1 ii x11-common 1:7.7+19 Versions of packages fig2dev recommends: ii ghostscript 9.20~dfsg-3.2+deb9u1 ii netpbm 2:10.0-15.3+b2 Versions of packages fig2dev suggests: pn xfig -- no debconf information poc-invalid Description: Binary data
Bug#906740: fig2dev: global buffer overflow while running with '-L pdf' option
Package: fig2dev Version: 1:3.2.6a-2+deb9u1 Severity: normal Dear Maintainer, Running the attached test input with fig2dev with '-L pdf' option raises a global buffer overflow error. Judging from the stack trace, this bug seems similar to previous bug #890015, but this test input also crashes the latest upstream version (3.2.7a) of fig2dev, where #890015 is supposed to be fixed. The bug fix could have been incomplete, or this may be a distinct bug. Below is the gdb log. I used latest upstream version 3.2.7a here, but I confirmed that current stable version 3.2.6a is also affected. jason@debian-amd64-stretch:~/report/source-latest/fig2dev$ gdb -q ./fig2dev-3.2.7a/fig2dev/fig2dev Reading symbols from ./fig2dev-3.2.7a/fig2dev/fig2dev...done. (gdb) run -L pdf ./poc-bof Starting program: /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a/fig2dev/fig2dev -L pdf ./poc-bof [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966 2966malloc.c: No such file or directory. (gdb) where #0 __GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966 #1 0x0040b156 in save_comment () at read.c:1487 #2 get_line (fp=) at read.c:1465 #3 0x0040ac08 in read_objects (fp=0x6a3f20, obj=) at read.c:320 #4 readfp_fig (fp=0x6a3f20, obj=0x7fffe3c0) at read.c:172 #5 0x00408bac in main (argc=, argv=) at fig2dev.c:424 (gdb) x/i $rip => 0x7736c524 <__GI___libc_free+20>:mov-0x8(%rdi),%rax (gdb) info reg rdi rdi0x2323232323000a23 2531906049330383395 And running with Address Sanitizer gives the following result. jason@debian-amd64-stretch:~/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize$ ./fig2dev/fig2dev -L pdf ../poc-bof = ==31296==ERROR: AddressSanitizer: global-buffer-overflow on address 0x015f1ba0 at pc 0x0051dffb bp 0x7fffdde0 sp 0x7fffddd8 READ of size 8 at 0x015f1ba0 thread T0 #0 0x51dffa in save_comment /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9 #1 0x5112f3 in get_line /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1465:8 #2 0x510123 in read_objects /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:320:6 #3 0x50eda6 in readfp_fig /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:172:12 #4 0x50ebc2 in read_fig /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:142:13 #5 0x504baa in main /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev.c:424:12 #6 0x76ad12e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #7 0x41c629 in _start (/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev+0x41c629) 0x015f1ba0 is located 0 bytes to the right of global variable 'comments' defined in 'read.c:83:14' (0x15f1880) of size 800 SUMMARY: AddressSanitizer: global-buffer-overflow /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9 in save_comment Shadow bytes around the buggy address: 0x802b6320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x802b6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x802b6340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x802b6350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x802b6360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x802b6370: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x802b6380: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x802b6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x802b63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x802b63b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x802b63c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Thank you. -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fig2dev depends on: ii gawk 1:4.1.4+dfsg-1 ii libc62.24-11+deb9u3 ii libpng16-16 1.6.28-1 ii libxpm4 1:3.5.12-1 ii x11-common 1:7.7+19 Versions of packages fig2dev recommends: ii ghostscript 9.20~dfsg-3.2+deb9u1 ii netpbm 2:10.0-15.3+b2 Versions of packages fig2dev suggests: pn xfig -- no debconf information poc-bof Description: Binary data
Bug#906559: ufraw-batch: integer overflow in dcraw_load_raw()
Package: ufraw-batch Version: 0.22-1.1 Severity: normal Dear Maintainer, An integer overflow bug that leads to heap buffer overflow exists in ufraw-batch. According to our analysis, the bug exists within dcraw_load_raw() function (dcraw_api.cc:Line #236). If 'd->raw_height' and 'd->raw_width' are set to certain values that make the result of multiplication greater than INT_MAX, the memory allocation size is overflowed and wrapped around to a small value. This results in a buffer overflow in the latter part of of the execution. Memory allocation in Line #238 may be also vulnerable, but it had not been tested yet. 234 if (d->filters || d->colors == 1) { 235 if (d->colors == 1 || d->filters == 1 || d->filters > 1000) 236 d->raw_image = (ushort *) g_malloc((d->raw_height + 7) * d->raw_width * 2); 237 else 238 d->raw_image = (ushort *) g_malloc(sizeof(dcraw_image_type) * (d->raw_height + 7) * d->raw_width); Segfault and ASan error report could be observed with the attached test input as follow. However, unfortunately the test input do not seem to reliably reproduce the bug. I doubt that maybe the values of 'd->raw_height' and 'd->raw_width' could have been read in from uninitialized memory addresses, not from the content of test input. jason@debian-amd64-stretch:~/report/debian-latest/ufraw-batch$ gdb -q ufraw-batch Reading symbols from ufraw-batch...(no debugging symbols found)...done. (gdb) run --overwrite poc7 Starting program: /usr/bin/ufraw-batch --overwrite poc7 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x55625bc1 in ?? () (gdb) x/i $rip => 0x55625bc1: mov%ax,(%rdx) (gdb) info reg rdx rdx0x74901000 140737296470016 jason@debian-amd64-stretch:~/report/source-latest/ufraw/ufraw-0.22$ ./ufraw-batch --overwrite ../poc7 = ==15668==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x725d37f4 at pc 0x006042a6 bp 0x7ffdc3e0 sp 0x7ffdc3d8 READ of size 2 at 0x725d37f4 thread T0 #0 0x6042a5 in DCRaw::unpacked_load_raw() /home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw.cc:1972:25 #1 0x592abc in dcraw_load_raw /home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw_api.cc:249:9 #2 0x4f9b75 in ufraw_load_raw /home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw_ufraw.c:666:19 #3 0x4f59bf in main /home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch.c:85:13 #4 0x752172e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #5 0x422a79 in _start (/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch+0x422a79) 0x725d37f4 is located 0 bytes to the right of 655348-byte region [0x72533800,0x725d37f4) allocated by thread T0 here: #0 0x4c1038 in __interceptor_malloc (/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch+0x4c1038) #1 0x77463e08 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4fe08) #2 0x4f9b75 in ufraw_load_raw /home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw_ufraw.c:666:19 #3 0x4f59bf in main /home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch.c:85:13 #4 0x752172e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw.cc:1972:25 in DCRaw::unpacked_load_raw() Shadow bytes around the buggy address: 0x10007e4b26a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e4b26b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e4b26c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e4b26d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e4b26e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007e4b26f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa 0x10007e4b2700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e4b2710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e4b2720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e4b2730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e4b2740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufraw-batch depends on: ii libbz2-1.0 1.0.6-8.1 ii libc62.24-11+deb9u3 ii libexiv2-14 0.25-3.1 ii libgcc1 1:6.3.0-18+deb9u1 ii libglib2.0-0 2.50.3-2 ii libgomp1 6.3.0-18+deb9u1 ii
Bug#906532: x264: heap buffer overflow
Package: x264 Version: 2:0.148.2748+git97eaef2-1 Severity: normal Dear Maintainer, Running x264 with the attached poc file raises a heap buffer overflow. Following gdb log shows the program resulting in segfault. jason@debian-amd64-stretch:~/report/debian-latest/x264$ gdb x264 -q Reading symbols from x264...(no debugging symbols found)...done. (gdb) run --crf 24 -o output.264 ./poc_ovf Starting program: /usr/bin/x264 --crf 24 -o output.264 ./poc_ovf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". ffms [info]: 352x288p 12:11 @ 25/8839 fps (vfr) x264 [info]: using SAR=12/11 x264 [info]: using cpu capabilities: MMX2 SSE2Fast SSSE3 SSE4.2 AVX FMA3 AVX2 LZCNT BMI2 x264 [info]: profile High, level 1.3 Program received signal SIGSEGV, Segmentation fault. __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:364 364 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory. (gdb) x/i $rip => 0x74735f50 <__memmove_avx_unaligned_erms+368>: vmovdqu -0x20(%rsi,%rdx,1),%ymm5 (gdb) info reg rsi rdx rsi0x55d21ee0 93825000414944 rdx0x160352 (gdb) bt 10 #0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:364 #1 0x555665b6 in ?? () #2 0x555666df in ?? () #3 0x5556840b in ?? () #4 0xb5b9 in ?? () #5 0x7462d2e1 in __libc_start_main (main=0xa030, argc=6, argv=0x7fffe5f8, init=, fini=, rtld_fini=, stack_end=0x7fffe5e8) at ../csu/libc-start.c:291 #6 0xcb3a in ?? () When we compiled the source with AddressSanitizer, the program reports a heap-buffer-overflow error in x264_cli_plane_copy() function as follow. jason@debian-amd64-stretch:~/report/source-latest/x264$ ./x264-0.148/x264 --crf 24 -o output.264 poc_ovf ffms [info]: 352x288p 12:11 @ 25/8839 fps (vfr) x264 [info]: using SAR=12/11 x264 [info]: using cpu capabilities: none! x264 [info]: profile High, level 1.3 = ==6186==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c07a2f at pc 0x004aac55 bp 0x7fffcf90 sp 0x7fffc740 READ of size 352 at 0x62c07a2f thread T0 #0 0x4aac54 in __asan_memcpy (/home/jason/report/source-latest/x264/x264-0.148/x264+0x4aac54) #1 0x5174f9 in x264_cli_plane_copy /home/jason/report/source-latest/x264/x264-0.148/filters/video/internal.c:33:9 #2 0x5174f9 in x264_cli_pic_copy /home/jason/report/source-latest/x264/x264-0.148/filters/video/internal.c:55 #3 0x51cc46 in get_frame /home/jason/report/source-latest/x264/x264-0.148/filters/video/fix_vfr_pts.c:100:13 #4 0x4f667d in encode /home/jason/report/source-latest/x264/x264-0.148/x264.c:1921:13 #5 0x4f667d in main /home/jason/report/source-latest/x264/x264-0.148/x264.c:382 #6 0x745b02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #7 0x422969 in _start (/home/jason/report/source-latest/x264/x264-0.148/x264+0x422969) 0x62c07a2f is located 0 bytes to the right of 30767-byte region [0x62c00200,0x62c07a2f) allocated by thread T0 here: #0 0x4c18d0 in __interceptor_posix_memalign (/home/jason/report/source-latest/x264/x264-0.148/x264+0x4c18d0) #1 0x7552b93f in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x2b93f) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/jason/report/source-latest/x264/x264-0.148/x264+0x4aac54) in __asan_memcpy Shadow bytes around the buggy address: 0x0c587fff8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c587fff8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c587fff8f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c587fff8f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c587fff8f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c587fff8f40: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa 0x0c587fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c587fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c587fff8f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c587fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c587fff8f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages x264 depends on: ii libavcodec57 7:3.2.10-1~deb9u1 ii libavformat57 7:3.2.10-1~deb9u1 ii libavutil557:3.2.10-1~deb9u1 ii libc6 2.24-11+deb9u3 ii libffms2-4 2.23-1 ii libgpac4
Bug#906530: dcraw: NULL dereference bug
Package: dcraw Version: 9.27-1+b1 Severity: normal Dear Maintainer, Running dcraw with the attached poc file raises a NULL dereference bug. Following gdb log shows the program resulting in segfault. jason@debian-amd64-stretch:~/report/debian-latest/dcraw$ gdb dcraw -q Reading symbols from dcraw...(no debugging symbols found)...done. (gdb) run poc_null Starting program: /usr/bin/dcraw poc_null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". poc_null: Unexpected end of file Program received signal SIGSEGV, Segmentation fault. 0xd01c in ?? () (gdb) x/i $rip => 0xd01c: mov%r10w,(%r9,%rax,2) (gdb) info reg r9 rax r9 0x0 0 rax0x0 0 (gdb) bt 5 #0 0xd01c in ?? () #1 0xb1bc in ?? () #2 0x7728f2e1 in __libc_start_main (main=0x9940, argc=2, argv=0x7fffe638, init=, fini=, rtld_fini=, stack_end=0x7fffe628) at ../csu/libc-start.c:291 #3 0xb4da in ?? () When we compiled the source with AddressSanitizer, it reports NULL dereference bug in nokia_load_raw() function as follow. jason@debian-amd64-stretch:~/report/source-latest/dcraw$ ./dcraw-9.27/dcraw poc_null poc_null: Unexpected end of file ASAN:DEADLYSIGNAL = ==5981==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x0051301a bp 0x7fffdc70 sp 0x7fffda40 T0) #0 0x513019 in nokia_load_raw /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:1972:28 #1 0x5bcf96 in main /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:10150:10 #2 0x76a4f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #3 0x41c049 in _start (/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw+0x41c049) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:1972:28 in nokia_load_raw ==5981==ABORTING -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dcraw depends on: ii libc62.24-11+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 dcraw recommends no packages. Versions of packages dcraw suggests: pn gphoto2 ii netpbm 2:10.0-15.3+b2 -- no debconf information poc_null Description: Binary data
Bug#906529: dcraw: stack-based buffer overflow bug
Package: dcraw Version: 9.27-1+b1 Severity: normal A stack-based buffer overflow bug exists in dcraw. Running the attached poc file raises a stack-based buffer overflow error, which may allow a control flow hijack attack. Following gdb log shows the program resulting in segfault. jason@debian-amd64-stretch:~/report/debian-latest/dcraw$ gdb dcraw -q Reading symbols from dcraw...(no debugging symbols found)...done. (gdb) run poc_ovf Starting program: /usr/bin/dcraw poc_ovf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:137 137 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt 10 #0 strlen () at ../sysdeps/x86_64/strlen.S:137 #1 0x772dfa84 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x773d3305 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:109 #2 0x773681f7 in __GI___fortify_fail (msg=msg@entry=0x773d32ed "stack smashing detected") at fortify_fail.c:30 #3 0x773681c0 in __stack_chk_fail () at stack_chk_fail.c:28 #4 0x5557ea4e in ?? () #5 0x in ?? () #6 0x in ?? () #7 0x in ?? () #8 0x in ?? () #9 0x in ?? () (More stack frames follow...) Address sanitizer reports stack-buffer-overflow error in find_green() function as follow. jason@debian-amd64-stretch:~/report/source-latest/dcraw$ ./dcraw-9.27/dcraw poc_ovf = ==5868==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffc720 at pc 0x00595ece bp 0x7fffa6b0 sp 0x7fffa6a8 WRITE of size 2 at 0x7fffc720 thread T0 #0 0x595ecd in find_green /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8147:19 #1 0x59e77b in identify /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8716:5 #2 0x5b94f9 in main /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:10007:15 #3 0x76a4f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #4 0x41c049 in _start (/home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw+0x41c049) Address 0x7fffc720 is located in stack of thread T0 at offset 8288 in frame #0 0x595a6f in find_green /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8133 This frame has 2 object(s): [32, 8288) 'img' <== Memory access at offset 8288 overflows this variable [8544, 8560) 'sum' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jason/report/source-latest/dcraw/dcraw-9.27/dcraw.c:8147:19 in find_green Shadow bytes around the buggy address: 0x10007fff7890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff78a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff78b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff78c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff78d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff78e0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x10007fff78f0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x10007fff7900: f2 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00 0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dcraw depends on: ii libc62.24-11+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 dcraw recommends no packages. Versions of packages dcraw suggests: pn gphoto2 ii netpbm 2:10.0-15.3+b2 -- no debconf information poc_ovf Description: Binary data
Bug#889272: : CVE-2018-6612
For your information, this bug was assigned CVE-2018-6612. Thank you for the fix.
Bug#878739: : CVE-2017-18120
For your information, this bug was assigned CVE-2017-18120. Thank you for the fix.