Bug#784205: AddressSanitizer: heap-buffer-overflow on meta_pen_create player/meta.h

Sun, 03 May 2015 18:24:27 -0700 

Package: libwmf0.2-7

There is an invalid read inside meta.h file in several lines. To
identify the issue I used ASAN + afl fuzzer. I'm attaching two fuzzed
files that generate the invalid read and a patch that seems to be
working for me. After applying it, ASAN no longer complains.

$ /home/fmunozs/ramdisk/wmf2svg
--wmf-fontdir=/usr/share/fonts/type1/gsfonts bug2.wmf
=================================================================
==19295==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb3b03400 at pc 0x8197102 bp 0xbfd3e038 sp 0xbfd3e028
READ of size 4 at 0xb3b03400 thread T0
    #0 0x8197101 in meta_font_create player/meta.h:3291
    #1 0x8197101 in WmfPlayMetaFile
/home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:1080
    #2 0x81a5ac0 in wmf_scan /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:150
    #3 0x804baa8 in wmf2svg_draw
/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:129
    #4 0x804f1c5 in wmf2svg_file
/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:439
    #5 0x804ac78 in main
/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:458
    #6 0xb6e9a72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d)
    #7 0x804b36e (/home/fmunozs/ramdisk/wmf2svg+0x804b36e)

0xb3b03400 is located 0 bytes to the right of 144-byte region
[0xb3b03370,0xb3b03400)
allocated by thread T0 here:
    #0 0xb727518c in __interceptor_malloc
(/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c)
    #1 0x80d7558 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482

SUMMARY: AddressSanitizer: heap-buffer-overflow player/meta.h:3291
meta_font_create
Shadow bytes around the buggy address:
  0x36760630: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x36760640: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x36760650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x36760660: 00 00 00 00 00 02 fa fa fa fa fa fa fa fa 00 00
  0x36760670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36760680:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36760690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367606a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367606b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367606c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367606d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==19295==ABORTING

Index: libwmf-0.2.8.4/src/player/meta.h
===================================================================
--- libwmf-0.2.8.4.orig/src/player/meta.h
+++ libwmf-0.2.8.4/src/player/meta.h
@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");

Attachment: fuzzed.tar.gz
Description: GNU Zip compressed data

Reply via email to