Package: dcraw
Version: 9.28-7

Found a memory leak in the latest version of dcraw.

Here is a transcript:
osboxes@osboxes:~/Desktop$ dcraw -g 2.2 1.0 -b 1.2 -j leak
fseek(0x5a1841ba9430, -2145648639,0): Invalid argument
osboxes@osboxes:~/Desktop$

For reference:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=memory+leak

Impact:

Memory leaks can create vulnerabilities. Attackers might exploit them
to degrade service (denial of service attacks) or infer information
about memory layouts, aiding other exploits.
These also affect the previous versions too.

Tested machine and version:

osboxes@osboxes:~/Desktop$ uname -a
Linux osboxes 6.8.0-49-generic #49-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov 4
02:06:24 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
osboxes@osboxes:~/Desktop$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/";
SUPPORT_URL="https://help.ubuntu.com/";
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/";
PRIVACY_POLICY_URL="
https://www.ubuntu.com/legal/terms-and-policies/privacy-policy";
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
osboxes@osboxes:~/Desktop$ sudo dpkg -l | grep -i dcraw
ii dcraw 9.28-7 amd64 decode raw digital camera images
osboxes@osboxes:~/Desktop$

How to reproduce:

Use the file attached with dcraw
dcraw -g 2.2 1.0 -b 1.2 -j leak

Reproducing using msan and afl:

Compiling using AFL and memory santizier
~/Desktop/AFL/AFLplusplus/afl-clang-lto -fsanitize=memory,undefined -o
dcraw -O4 dcraw.c -lm -DNODEPS

Fuzzing :

/home/fuzzing-android/Desktop/AFL/AFLplusplus/afl-fuzz -m none -i in/
-o out/ -S slave3 -- ./dcraw -g 2.2 1.0 -b 1.2 -j  @@

 Reproducing:

fuzzing-android@fuzzingandroid:~/Desktop/dcraw_latest/dcraw_9.28.orig$
./dcraw 
out/master/crashes.2024-11-20-05\:00\:07/id\:000034\,sig\:06\,src\:000466\,time\:3816438\,execs\:137174\,op\:havoc\,rep\:17
dcraw.c:315:17: runtime error: left shift of 255 by 24 places cannot
be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior dcraw.c:315:17 in
dcraw.c:313:49: runtime error: left shift of 128 by 24 places cannot
be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior dcraw.c:313:49 in
Uninitialized bytes in __interceptor_strncmp at offset 0 inside
[0x7ffcff567c80, 1)
==334245==WARNING: MemorySanitizer: use-of-uninitialized-value
==334245==WARNING: external symbolizer didn't start up correctly!
fuzzing-android@fuzzingandroid:~/Desktop/dcraw_latest/dcraw_9.28.orig$

The compiled program and crashes are uploaded in tar file:

 dcraw.tar
<https://drive.google.com/file/d/1KYsHpkPv6CUfnwxapPzxO4g3Gy8Eih_y/view?usp=drive_web>

Attachment: leak
Description: Binary data

Reply via email to