You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our fuzzer found heap buffer overflow in upng.c in the current main(1e0953f).
Following is an output of valgrind.
vuln26-patch.png is in vuln26-patch.zip
==39424== Memcheck, a memory error detector
==39424== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.==39424== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info==39424== Command: ./build/bin/lws-api-test-upng --stdin ../crash/vuln26-patch.png==39424==[2024/05/15 12:23:14:0930] U: LWS UPNG test tool==39424== Invalid write of size 1==39424== at 0x1193DC: unfilter_scanline (upng.c:209)==39424== by 0x11977E: lws_upng_emit_next_line (upng.c:269)==39424== by 0x113575: main (main.c:97)==39424== Address 0x4f85260 is 0 bytes after a block of size 33,280 alloc'd
==39424== at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==39424== by 0x1645DD: _realloc (alloc.c:151)
==39424== by 0x16467F: lws_realloc (alloc.c:207)
==39424== by 0x11A1A3: lws_upng_decode (upng.c:496)
==39424== by 0x1195B7: lws_upng_emit_next_line (upng.c:249)
==39424== by 0x113575: main (main.c:97)
==39424==
[2024/05/15 12:23:14:1709] N: main: wrote 0
[2024/05/15 12:23:14:1732] E: unfilter_scanline: line start is broken 125
[2024/05/15 12:23:14:1738] E: main: emit returned FATAL 13
[2024/05/15 12:23:14:1752] U: Completed: FAIL
==39424==
==39424== HEAP SUMMARY:
==39424== in use at exit: 0 bytes in 0 blocks
==39424== total heap usage: 7 allocs, 7 frees, 41,084 bytes allocated
==39424==
==39424== All heap blocks were freed -- no leaks are possible
==39424==
==39424== For lists of detected and suppressed errors, rerun with: -s
==39424== ERROR SUMMARY: 8 errors from 1 contexts (suppressed: 0 from 0)
Also, the PR of #3134 was found to be inadequate as a check for interger overflow.
For example, when bypl * 2 causes interger overflow, heap BOF occurs as when width = 0
The bypp check is in the determine_format function, so we need a check for width and a more rigorous check for integer overflow in the ims calculation.
Our fuzzer found heap buffer overflow in upng.c in the current main(1e0953f).
Following is an output of valgrind.
vuln26-patch.png is in vuln26-patch.zip
libwebsockets/lib/misc/upng.c
Lines 464 to 465 in 1e0953f
The code is built on the assumption that
bypl
>bypp
, but by specifyingwidth
= 0, we can create a situation wherebypp
<bypl
.libwebsockets/lib/misc/upng.c
Line 485 in 1e0953f
libwebsockets/lib/misc/upng.c
Line 496 in 1e0953f
While the size of the heap area is specified using
bypl
as above, some writes are done based onbypp
, resulting in a heap BOF.For example, in the following code flow.
libwebsockets/lib/misc/upng.c
Line 503 in 1e0953f
libwebsockets/lib/misc/upng.c
Lines 262 to 264 in 1e0953f
libwebsockets/lib/misc/upng.c
Lines 208 to 210 in 1e0953f
OOB happens with the writing of
uf->recon[i]
Also, the PR of #3134 was found to be inadequate as a check for interger overflow.
For example, when
bypl * 2
causes interger overflow, heap BOF occurs as when width = 0The
bypp
check is in thedetermine_format
function, so we need a check forwidth
and a more rigorous check for integer overflow in theims
calculation.libwebsockets/lib/misc/upng.c
Lines 303 to 304 in 1e0953f
Ricerca Security, Inc.
The text was updated successfully, but these errors were encountered: