Public bug reported:
My fuzzer found a crash in main(), at the last line of this snippet.
char *base64data = (char *)malloc(data_size + 1);
if (!base64data)
mem_overflow();
...
...
parts[i].Data = (char *)malloc(parts[i].BlocksRunCount * 0x28);
if (!parts[i].Data)
mem_overflow();
memcpy(parts[i].Data, base64data + 0xCC, parts[i].BlocksRunCount * 0x28);
Valgrind says that it is a OOB read of 2 bytes
==7440== Invalid read of size 2
==7440== at 0x4C36914: memmove (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7440== by 0x109EB6: memcpy (string_fortified.h:34)
==7440== by 0x109EB6: main (dmg2img.c:284)
==7440== Address 0x565ecae is 2 bytes before a block of size 1,966,080 alloc'd
==7440== at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7440== by 0x109E91: main (dmg2img.c:281)
==7440==
Probably the parsed BlocksRunCount field is not coherent with data_size.
I attach a testcase that triggers the bug (an also an infinite loop).
** Affects: dmg2img (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "id:000009,sig:11,src:000005+000085,op:splice,rep:4"
https://bugs.launchpad.net/bugs/1835463/+attachment/5275122/+files/id%3A000009%2Csig%3A11%2Csrc%3A000005+000085%2Cop%3Asplice%2Crep%3A4
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835463
Title:
OOB read in main()
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1835463/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
