Bug#906559: ufraw-batch: integer overflow in dcraw_load_raw()

Sat, 18 Aug 2018 14:16:39 -0700 

Package: ufraw-batch
Version: 0.22-1.1
Severity: normal

Dear Maintainer,

An integer overflow bug that leads to heap buffer overflow exists in
ufraw-batch.

According to our analysis, the bug exists within dcraw_load_raw() function
(dcraw_api.cc:Line #236). If 'd->raw_height' and 'd->raw_width' are set to
certain values that make the result of multiplication greater than INT_MAX,
the memory allocation size is overflowed and wrapped around to a small
value. This results in a buffer overflow in the latter part of of the
execution. Memory allocation in Line #238 may be also vulnerable, but it
had not been tested yet.

234         if (d->filters || d->colors == 1) {
235             if (d->colors == 1 || d->filters == 1 || d->filters > 1000)
236                 d->raw_image = (ushort *) g_malloc((d->raw_height + 7)
* d->raw_width * 2);
237             else
238                 d->raw_image = (ushort *)
g_malloc(sizeof(dcraw_image_type) * (d->raw_height + 7) * d->raw_width);

Segfault and ASan error report could be observed with the attached test
input as follow. However,  unfortunately the test input do not seem to
reliably reproduce the bug.
I doubt that maybe the values of 'd->raw_height' and 'd->raw_width' could
have been read in from uninitialized memory addresses, not from the content
of test input.

jason@debian-amd64-stretch:~/report/debian-latest/ufraw-batch$ gdb -q
ufraw-batch
Reading symbols from ufraw-batch...(no debugging symbols found)...done.
(gdb) run --overwrite poc7
Starting program: /usr/bin/ufraw-batch --overwrite poc7
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555625bc1 in ?? ()
(gdb) x/i $rip
=> 0x555555625bc1:      mov    %ax,(%rdx)
(gdb) info reg rdx
rdx            0x7ffff4901000   140737296470016

jason@debian-amd64-stretch:~/report/source-latest/ufraw/ufraw-0.22$
./ufraw-batch --overwrite ../poc7
=================================================================
==15668==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7ffff25d37f4 at pc 0x0000006042a6 bp 0x7ffffffdc3e0 sp 0x7ffffffdc3d8
READ of size 2 at 0x7ffff25d37f4 thread T0
    #0 0x6042a5 in DCRaw::unpacked_load_raw()
/home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw.cc:1972:25
    #1 0x592abc in dcraw_load_raw
/home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw_api.cc:249:9
    #2 0x4f9b75 in ufraw_load_raw
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw_ufraw.c:666:19
    #3 0x4f59bf in main
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch.c:85:13
    #4 0x7ffff52172e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x422a79 in _start
(/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch+0x422a79)

0x7ffff25d37f4 is located 0 bytes to the right of 655348-byte region
[0x7ffff2533800,0x7ffff25d37f4)
allocated by thread T0 here:
    #0 0x4c1038 in __interceptor_malloc
(/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch+0x4c1038)
    #1 0x7ffff7463e08 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4fe08)
    #2 0x4f9b75 in ufraw_load_raw
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw_ufraw.c:666:19
    #3 0x4f59bf in main
/home/jason/report/source-latest/ufraw/ufraw-0.22/ufraw-batch.c:85:13
    #4 0x7ffff52172e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/jason/report/source-latest/ufraw/ufraw-0.22/dcraw.cc:1972:25 in
DCRaw::unpacked_load_raw()
Shadow bytes around the buggy address:
  0x10007e4b26a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4b26e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007e4b26f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa
  0x10007e4b2700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10007e4b2740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0       1.0.6-8.1
ii  libc6            2.24-11+deb9u3
ii  libexiv2-14      0.25-3.1
ii  libgcc1          1:6.3.0-18+deb9u1
ii  libglib2.0-0     2.50.3-2
ii  libgomp1         6.3.0-18+deb9u1
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2       2.8-4
ii  liblensfun1      0.3.2-3
ii  libpng16-16      1.6.28-1
ii  libstdc++6       6.3.0-18+deb9u1
ii  libtiff5         4.0.8-2+deb9u2
ii  zlib1g           1:1.2.8.dfsg-5

ufraw-batch recommends no packages.

Versions of packages ufraw-batch suggests:
pn  ufraw  <none>

-- no debconf information

Attachment: poc
Description: Binary data

Reply via email to