Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugs/vulnerabilities found in hicolor v0.5.0 #5

Open
Helson-S opened this issue May 30, 2024 · 1 comment
Open

Bugs/vulnerabilities found in hicolor v0.5.0 #5

Helson-S opened this issue May 30, 2024 · 1 comment

Comments

@Helson-S
Copy link

Helson-S commented May 30, 2024
edited
Loading

Summary

Hi~,I did some fuzzy testing and found some bugs/vulnerabilities on hicolor v0.5.0. I hope these findings will help improve software quality.

These bugs/vulnerabilities are mainly caused by unsafe component cute_png.h v1.05. According to my analysis, Because the compilation environment of hicolor is inconsistent with the official compilation environment of cute_png.h v1.05, not all bugs in cute_png.h affect hicolor. The bugs/vulnerabilities listed below can truly affect hicolor v0.5.0.

All of the bugs/vulnerablities are triggered with no assertion raised. This means that these bugs/vulnerabilities are unexpected behaviors of the program.

hicolor: https://github.com/dbohdan/hicolor

cute_headers: https://github.com/RandyGaul/cute_headers

See also https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor

heapof-r1-cp_unfilter-cute_png-1019c11

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1019 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample6.png ./output.hic && rm -f ./output.hic

Screen-shot

image-20240530183857985

heapof-r65280-cp_stored-cute_png-543c2

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_stored() at line 543 of vendor/cute_png.h v1.05. What's more, sample10.png provided as attack vector causes double-free heap memory corruption in function cp_load_png_mem() at line 1194 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample10.png ./output.hic && rm -f ./output.hic

Screen-shot

heap-buffer-overflow

image-20240530184723547

double-free heap memory corruption

image-20240530184848743

image-20240530185015780

heapof-w1-cp_block-cute_png-623c12

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 623 of vendor/cute_png.h v1.05. What's more, sample11.png provided as attack vector causes double-free heap memory corruption in function cp_load_png() at line 1216 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample11.png ./output.hic && rm -f ./output.hic

Screen-shot

heap-buffer-overflow

image-20240530185401405

double-free heap memory corruption

image-20240530185451914

image-20240530185539214

heapof-w1-png_quantize-cli-220c32

Description

heap-buffer-overflow bug/vulnerability caused by write access found in function png_quantize() at line 220 of cli.c v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor quantize -n ./poc/sample18.png ./output.hic && rm -f ./output.hic

Screen-shot

image-20240530225208577

heapof-w16-cp_block-cute_png-644c37

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 644 of vendor/cute_png.h v1.05. What's more, sample12.png provided as attack vector causes unmap invalid pointer memory corruption in function cp_load_png_mem() at line 1189 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample12.png ./output.hic && rm -f ./output.hic

Screen-shot

heap-buffer-overflow

image-20240530192030403

unmap invalid pointer

image-20240530192010075

image-20240530192345688

heapof-w98-cp_block-5c0-cute_png-642c5

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 642 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample13.png ./output.hic && rm -f ./output.hic

Screen-shot

image-20240530192505615

image-20240531002753478

stkof-w133-cp_dynamic-cute_png-603

Description

stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 603 of vendor/cute_png.h v1.05. It will lead to control flow hijacking.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample16.png ./output.hic && rm -f ./output.hic

Screen-shot

image-20240530223831738

image-20240530223921086
@dbohdan
Copy link
Owner

dbohdan commented May 30, 2024

Thanks for the report. I will look into the stack overflow in png_quantize. As for cute_png, like RandyGaul/cute_headers#381 (comment) says, it is not designed for untrusted input. I should note this in the readme. I may eventually address the insecurity of cute_png by replacing it with another library.

An accessibility suggestion: it would be better if your screenshots were code blocks. If you don't want code blocks making your issue too long, hide them inside <details> tags.

dbohdan added a commit that referenced this issue May 30, 2024
@dbohdan
docs(readme): add note about security
39ee72f 
Per #5.
dbohdan added a commit that referenced this issue May 30, 2024
@dbohdan
docs(readme): add note about security
d3b23e7 
Per #5.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dbohdan @Helson-S