You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our fuzzer found a crash due to a heap buffer overflow on the function cmft::bgr8ToRgba32f. I built cmft (the latest commit 06a3516 on master) using the configuration "release64" on Ubuntu 16.04 (64-bit).
cmftRelease-asan --input PoC_hbo_bgr8ToRgba32f --output0 /dev/null
=================================================================
==17004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff2 at pc 0x00000041d225 bp 0x7ffe04d76830 sp 0x7ffe04d76820
READ of size 1 at 0x60200000eff2 thread T0
#0 0x41d224 in cmft::bgr8ToRgba32f(float*, unsigned char const*) ../../src/cmft/image.cpp:1457
#1 0x41d224 in cmft::imageToRgba32f(cmft::Image&, cmft::Image const&, cmft::AllocatorI*) ../../src/cmft/image.cpp:1594
#2 0x420cba in cmft::imageConvert(cmft::Image&, cmft::TextureFormat::Enum, cmft::Image const&, cmft::AllocatorI*) ../../src/cmft/image.cpp:2017
#3 0x434550 in cmft::imageConvert(cmft::Image&, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:2049
#4 0x434550 in cmft::imageLoad(cmft::Image&, cmft::Rw*, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:5051
#5 0x4348a9 in cmft::imageLoad(cmft::Image&, char const*, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:5062
#6 0x475600 in cmftMain(int, char const* const*) ../../src/cmft_cli/cmft_cli.h:895
#7 0x7f236f49f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x403608 in _start (/home/dungnguyen/PoCs/cmft_06a3516/cmftRelease-asan+0x403608)
0x60200000eff2 is located 1 bytes to the right of 1-byte region [0x60200000eff0,0x60200000eff1)
allocated by thread T0 here:
#0 0x7f23707ab602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x433f18 in cmft::imageLoadTga(cmft::Image&, cmft::Rw*, cmft::AllocatorI*) ../../src/cmft/image.cpp:4899
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../src/cmft/image.cpp:1457 cmft::bgr8ToRgba32f(float*, unsigned char const*)
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==17004==ABORTING
Thanks,
Manh Dung
The text was updated successfully, but these errors were encountered:
Hi,
Our fuzzer found a crash due to a heap buffer overflow on the function cmft::bgr8ToRgba32f. I built cmft (the latest commit 06a3516 on master) using the configuration "release64" on Ubuntu 16.04 (64-bit).
PoC_hbo_bgr8ToRgba32f: https://github.com/strongcourage/PoCs/blob/master/cmft_06a3516/PoC_hbo_bgr8ToRgba32f
ASAN says:
Thanks,
Manh Dung
The text was updated successfully, but these errors were encountered: