Heap based OOB READ in hbpldecode.c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
foo2zjs (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
hbpldecode is used to decode a HBPL stream into human readbal form , and HBPL is Host Based Printer Language , it belongs to the foo2zjs project , whose official page is http://
hbpldecode locates in /usr/bin/ directory of ubuntu , a heap based OOB will occur if hbpldecode try to decode a crafted HBPL stream thus resulting in info leak in the heap , which is a security problem .
The problem lies in decode2 function . when the header of crafted file is "PS" , the program will allocate "len" byte heap chunk to mbuf , and then call print_bih(mbuf) . the print_bih will output 20 bytes infomation of mbuf regardless of its actual size , when the "len" read from file is smaller than 20 , it causes an out of bound read issue .
related code snippets :
#decode2:
if (header[1] == '%' && header[2] == '-') //end of file
len = 15;
else
{
if (header[1] == 'J' && header[2] == 'P')
len = 60; // JP doesn't have len
else
len = header[3];
}
curOff += len+4;
rc = fread(buf, 1, len, fp);
//....
if (header[1] == 'P' && header[2] == 'S'){
//...
len = getLEdword(
mbuf = malloc(len);
if ( color == 1 ){
//...
//...
}else{
//...
//...
}
}
# print_bih:
void
print_bih(unsigned char bih[20])
{
unsigned int xd, yd, l0;
xd = (bih[4] << 24) | (bih[5] << 16) | (bih[6] << 8) | (bih[7] << 0);
yd = (bih[8] << 24) | (bih[9] << 16) | (bih[10] << 8) | (bih[11] << 0);
l0 = (bih[12] << 24) | (bih[13] << 16) | (bih[14] << 8) | (bih[15] << 0);
printf(" DL = %d, D = %d, P = %d, - = %d, XY = %d x %d\n",
bih[0], bih[1], bih[2], bih[3], xd, yd);
printf(" L0 = %d, MX = %d, MY = %d\n",
l0, bih[16], bih[17]);
printf(" Order = %d %s%s%s%s%s\n", bih[18],
bih[18] & JBG_HITOLO ? " HITOLO" : "",
bih[18] & JBG_SEQ ? " SEQ" : "",
bih[18] & JBG_ILEAVE ? " ILEAVE" : "",
bih[18] & JBG_SMID ? " SMID" : "",
bih[18] & 0xf0 ? " other" : "");
printf(" Options = %d %s%s%s%
bih[19] & JBG_LRLTWO ? " LRLTWO" : "",
bih[19] & JBG_VLENGTH ? " VLENGTH" : "",
bih[19] & JBG_TPDON ? " TPDON" : "",
bih[19] & JBG_TPBON ? " TPBON" : "",
bih[19] & JBG_DPON ? " DPON" : "",
bih[19] & JBG_DPPRIV ? " DPPRIV" : "",
bih[19] & JBG_DPLAST ? " DPLAST" : "",
bih[19] & 0x80 ? " other" : "");
printf(" %u stripes, %d layers, %d planes\n",
((yd >> bih[1]) + ((((1UL << bih[1]) - 1) & xd) != 0) + l0 - 1) / l0,
bih[1] - bih[0], bih[2]);
}
Sanitizer output :
==114006==ERROR: AddressSanitizer: heap-buffer-
READ of size 4 at 0x60200000eff4 thread T0
#0 0x405551 in print_bih /home/bobb/
#1 0x406937 in decode2 /home/bobb/
#2 0x40f20b in decode /home/bobb/
#3 0x401ea9 in main /home/bobb/
#4 0x7fe49830882f in __libc_start_main (/lib/x86_
#5 0x402148 in _start (/home/
0x60200000eff4 is located 3 bytes to the right of 1-byte region [0x60200000eff0
allocated by thread T0 here:
#0 0x7fe498749602 in malloc (/usr/lib/
#1 0x4067ba in decode2 /home/bobb/
SUMMARY: AddressSanitizer: heap-buffer-
Changed in foo2zjs (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Nice find. I suspect this wouldn't have actual security consequences but it would be worth fixing, if only so that future fuzz runs don't trip it again. Could you please report this to upstream (probably via http:// foo2zjs. rkkda.com/ forum/ , I didn't see any other way to report issues to them), and link the topic here?
Thanks