[Desktop-packages] [Bug 1653729] Re: Heap based OOB READ in hbpldecode.c
** Changed in: foo2zjs (Ubuntu)
Status: New => Confirmed
** Changed in: foo2zjs (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to foo2zjs in Ubuntu.
https://bugs.launchpad.net/bugs/1653729
Title:
Heap based OOB READ in hbpldecode.c
Status in foo2zjs package in Ubuntu:
Confirmed
Bug description:
hbpldecode is used to decode a HBPL stream into human readbal form , and HBPL
is Host Based Printer Language , it belongs to the foo2zjs project , whose
official page is http://foo2hbpl.rkkda.com/ .
hbpldecode locates in /usr/bin/ directory of ubuntu , a heap based OOB will
occur if hbpldecode try to decode a crafted HBPL stream thus resulting in info
leak in the heap , which is a security problem .
The problem lies in decode2 function . when the header of crafted file
is "PS" , the program will allocate "len" byte heap chunk to mbuf ,
and then call print_bih(mbuf) . the print_bih will output 20 bytes
infomation of mbuf regardless of its actual size , when the "len" read
from file is smaller than 20 , it causes an out of bound read issue .
related code snippets :
#decode2:
if (header[1] == '%' && header[2] == '-') //end of file
len = 15;
else
{
if (header[1] == 'J' && header[2] == 'P')
len = 60;// JP doesn't have len
else
len = header[3];
printf("RECTYPE %c%c - size=%d ", header[1], header[2], len);
}
curOff += len+4;
rc = fread(buf, 1, len, fp);
//
if (header[1] == 'P' && header[2] == 'S'){
//...
len = getLEdword([12]);
mbuf = malloc(len);
if ( color == 1 ){
//...
print_bih(mbuf);
print_bih(mbuf + offbih[0]);
print_bih(mbuf + offbih[0] + offbih[1]);
//...
}else{
//...
print_bih(mbuf);
//...
}
}
# print_bih:
void
print_bih(unsigned char bih[20])
{
unsigned int xd, yd, l0;
xd = (bih[4] << 24) | (bih[5] << 16) | (bih[6] << 8) | (bih[7] << 0);
yd = (bih[8] << 24) | (bih[9] << 16) | (bih[10] << 8) | (bih[11] << 0);
l0 = (bih[12] << 24) | (bih[13] << 16) | (bih[14] << 8) | (bih[15] << 0);
printf("DL = %d, D = %d, P = %d, - = %d, XY = %d x %d\n",
bih[0], bih[1], bih[2], bih[3], xd, yd);
printf("L0 = %d, MX = %d, MY = %d\n",
l0, bih[16], bih[17]);
printf("Order = %d %s%s%s%s%s\n", bih[18],
bih[18] & JBG_HITOLO ? " HITOLO" : "",
bih[18] & JBG_SEQ ? " SEQ" : "",
bih[18] & JBG_ILEAVE ? " ILEAVE" : "",
bih[18] & JBG_SMID ? " SMID" : "",
bih[18] & 0xf0 ? " other" : "");
printf("Options = %d %s%s%s%s%s%s%s%s\n", bih[19],
bih[19] & JBG_LRLTWO ? " LRLTWO" : "",
bih[19] & JBG_VLENGTH ? " VLENGTH" : "",
bih[19] & JBG_TPDON ? " TPDON" : "",
bih[19] & JBG_TPBON ? " TPBON" : "",
bih[19] & JBG_DPON ? " DPON" : "",
bih[19] & JBG_DPPRIV ? " DPPRIV" : "",
bih[19] & JBG_DPLAST ? " DPLAST" : "",
bih[19] & 0x80 ? " other" : "");
printf("%u stripes, %d layers, %d planes\n",
((yd >> bih[1]) + 1UL << bih[1]) - 1) & xd) != 0) + l0 - 1) / l0,
bih[1] - bih[0], bih[2]);
}
Sanitizer output :
==114006==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020eff4 at pc 0x00405552 bp 0x7ffdf9162dc0 sp 0x7ffdf9162db0
READ of size 4 at 0x6020eff4 thread T0
#0 0x405551 in print_bih
/home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:183
#1 0x406937 in decode2 /home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:431
#2 0x40f20b in decode /home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:865
#3 0x401ea9 in main /home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:928
#4 0x7fe49830882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x402148 in _start
(/home/bobb/fuzz-workspace/foo2zjs-workspace/hbpldecode+0x402148)
0x6020eff4 is located 3 bytes to the right of 1-byte region
[0x6020eff0,0x6020eff1)
allocated by thread T0 here:
#0 0x7fe498749602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4067ba in decode2 /home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:383
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bobb/fuzz-
workspace/foo2zjs/hbpldecode.c:183 print_bih
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/foo2zjs/+bug/1653729/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1653729] Re: Heap based OOB READ in hbpldecode.c
Hi Bobb,
Oh, that's interesting. I wonder if we should stop packaging these
tools, or ask Debian's maintainer to stop packaging them then. Packaged
programs have a way of getting used, perhaps beyond the original
author's intentions.
I've found fuzzing results to be best accepted by upstreams when run
against a recent checkout of their development branch; it's normally
best to report issues to upstreams first, since they are in the best
position to prepare fixes and determine if older versions may also be
affected. If you can test the crashers against released versions, that's
often also helpful to report.
When reporting fuzzing-discovered issues, it's important to include the
generated test cases.
In this specific case, your analysis was very helpful; I'm sure other
upstreams would appreciate this kind of effort in reports. It's all too
easy to just dump a few hundred crashing files on someone. (I've done
this. Several times. It hasn't been received well.)
Thanks
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to foo2zjs in Ubuntu.
https://bugs.launchpad.net/bugs/1653729
Title:
Heap based OOB READ in hbpldecode.c
Status in foo2zjs package in Ubuntu:
New
Bug description:
hbpldecode is used to decode a HBPL stream into human readbal form , and HBPL
is Host Based Printer Language , it belongs to the foo2zjs project , whose
official page is http://foo2hbpl.rkkda.com/ .
hbpldecode locates in /usr/bin/ directory of ubuntu , a heap based OOB will
occur if hbpldecode try to decode a crafted HBPL stream thus resulting in info
leak in the heap , which is a security problem .
The problem lies in decode2 function . when the header of crafted file
is "PS" , the program will allocate "len" byte heap chunk to mbuf ,
and then call print_bih(mbuf) . the print_bih will output 20 bytes
infomation of mbuf regardless of its actual size , when the "len" read
from file is smaller than 20 , it causes an out of bound read issue .
related code snippets :
#decode2:
if (header[1] == '%' && header[2] == '-') //end of file
len = 15;
else
{
if (header[1] == 'J' && header[2] == 'P')
len = 60;// JP doesn't have len
else
len = header[3];
printf("RECTYPE %c%c - size=%d ", header[1], header[2], len);
}
curOff += len+4;
rc = fread(buf, 1, len, fp);
//
if (header[1] == 'P' && header[2] == 'S'){
//...
len = getLEdword([12]);
mbuf = malloc(len);
if ( color == 1 ){
//...
print_bih(mbuf);
print_bih(mbuf + offbih[0]);
print_bih(mbuf + offbih[0] + offbih[1]);
//...
}else{
//...
print_bih(mbuf);
//...
}
}
# print_bih:
void
print_bih(unsigned char bih[20])
{
unsigned int xd, yd, l0;
xd = (bih[4] << 24) | (bih[5] << 16) | (bih[6] << 8) | (bih[7] << 0);
yd = (bih[8] << 24) | (bih[9] << 16) | (bih[10] << 8) | (bih[11] << 0);
l0 = (bih[12] << 24) | (bih[13] << 16) | (bih[14] << 8) | (bih[15] << 0);
printf("DL = %d, D = %d, P = %d, - = %d, XY = %d x %d\n",
bih[0], bih[1], bih[2], bih[3], xd, yd);
printf("L0 = %d, MX = %d, MY = %d\n",
l0, bih[16], bih[17]);
printf("Order = %d %s%s%s%s%s\n", bih[18],
bih[18] & JBG_HITOLO ? " HITOLO" : "",
bih[18] & JBG_SEQ ? " SEQ" : "",
bih[18] & JBG_ILEAVE ? " ILEAVE" : "",
bih[18] & JBG_SMID ? " SMID" : "",
bih[18] & 0xf0 ? " other" : "");
printf("Options = %d %s%s%s%s%s%s%s%s\n", bih[19],
bih[19] & JBG_LRLTWO ? " LRLTWO" : "",
bih[19] & JBG_VLENGTH ? " VLENGTH" : "",
bih[19] & JBG_TPDON ? " TPDON" : "",
bih[19] & JBG_TPBON ? " TPBON" : "",
bih[19] & JBG_DPON ? " DPON" : "",
bih[19] & JBG_DPPRIV ? " DPPRIV" : "",
bih[19] & JBG_DPLAST ? " DPLAST" : "",
bih[19] & 0x80 ? " other" : "");
printf("%u stripes, %d layers, %d planes\n",
((yd >> bih[1]) + 1UL << bih[1]) - 1) & xd) != 0) + l0 - 1) / l0,
bih[1] - bih[0], bih[2]);
}
Sanitizer output :
==114006==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020eff4 at pc 0x00405552 bp 0x7ffdf9162dc0 sp 0x7ffdf9162db0
READ of size 4 at 0x6020eff4 thread T0
#0 0x405551 in print_bih
/home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:183
#1 0x406937 in decode2 /home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:431
#2 0x40f20b in decode /home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:865
#3 0x401ea9 in main /home/bobb/fuzz-workspace/foo2zjs/hbpldecode.c:928
#4 0x7fe49830882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x402148 in _start
