Tested Version:
libextractor v1.4
Details:
In function stndup at png_extractor.c
44 static char *
45 stndup (const char *str,
46 size_t n)
47 {
48 char *tmp;
49
50 if (NULL == (tmp = malloc (n + 1)))
51 return NULL;
52 tmp[n] = '\0';
53 memcpy (tmp, str, n);
54 return tmp;
55 }
Crash Information:
The output with address sanitizer enabled
./extract -i extract-stndup-png_extractor-50.crash
Keywords for file extract-stndup-png_extractor-50.crash:
mimetype - image/png
image dimensions - 1996488748x44
=================================================================
==15728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000cf2f at pc 0x7fc6a2b34662 bp 0x7ffe53360770 sp 0x7ffe53360760
WRITE of size 1 at 0x60200000cf2f thread T0
#0 0x7fc6a2b34661 in stndup /root/libextractor-1.4/src/plugins/png_extractor.c:52
#1 0x7fc6a2b35078 in processiTXt /root/libextractor-1.4/src/plugins/png_extractor.c:226
#2 0x7fc6a2b36ba3 in EXTRACTOR_png_extract_method /root/libextractor-1.4/src/plugins/png_extractor.c:479
#3 0x7fc6a74d4792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577
#4 0x7fc6a74d4b98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655
#5 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977
#6 0x7fc6a710f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8)
0x60200000cf2f is located 1 bytes to the left of 1-byte region [0x60200000cf30,0x60200000cf31)
allocated by thread T0 here:
#0 0x7fc6a77cd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7fc6a2b3460f in stndup /root/libextractor-1.4/src/plugins/png_extractor.c:50
#2 0x7fc6a2b35078 in processiTXt /root/libextractor-1.4/src/plugins/png_extractor.c:226
#3 0x7fc6a2b36ba3 in EXTRACTOR_png_extract_method /root/libextractor-1.4/src/plugins/png_extractor.c:479
#4 0x7fc6a74d4792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577
#5 0x7fc6a74d4b98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655
#6 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977
#7 0x7fc6a710f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libextractor-1.4/src/plugins/png_extractor.c:52 stndup
Shadow bytes around the buggy address:
0x0c047fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff99d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff99e0: fa fa fa fa fa[fa]01 fa fa fa fd fa fa fa fd fd
0x0c047fff99f0: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff9a00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9a10: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
0x0c047fff9a20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9a30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15728==ABORTING
CREDIT
Zhao Liang, Huawei Weiran Labs
Attachment is POC file