Package: dmg2img Version: 1.6.5-1 Severity: important Tags: security Following attached sample file crashes dmg2img. Sample file is fuzzed with american fuzzy lop <http://lcamtuf.coredump.cx/afl/>. Feel free to contact me in case you need more information. I was unable to find upstream bug tracker for this software.
c2ad4e5aa15856d3dfb1527b6a5a3fd07958830c sample01.dmg
gdb:
"""
dmg2img v1.6.5 (c) vu1tur (t...@vu1tur.eu.org)
sample01.dmg --> sample01.img
decompressing:
opening partition 0 ...
Program received signal SIGSEGV, Segmentation fault.
main (argc=<optimized out>, argv=<optimized out>) at dmg2img.c:390
390 block_type = convert_char4((unsigned char
*)parts[i].Data + offset);
(gdb) bt full
#0 main (argc=<optimized out>, argv=<optimized out>) at dmg2img.c:390
bi = <optimized out>
i = <optimized out>
err = <optimized out>
partnum = 1
tmp = 0x7ffff7ed8010 ""
otmp = 0x7ffff7529010 ""
dtmp = 0x7ffff7428010 ""
input_file = <optimized out>
output_file = 0x610010 "sample01.img"
plist = 0x6104b0 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE
plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\";>\n<plist
version=\"1.0\">\n<dict>\n\t<key>resource-fork</key>\n\t<d"...
blkx = 0x612300
"<key>blkx</key>\n\t\t<array>\n\t\t\t<dict>\n\t\t\t\t<key>Attributes</key>\n\t\t\t\t<string>0x0050</string>\n\t\t\t\t<key>CFName</key>\n\t\t\t\t<string>Protective
Master Boot Record (MBR : 0)</string>\n\t\t\t\t<key>Data</key>\n\t\t\t\t<da"...
blkx_size = <optimized out>
parts = 0x613970
data_begin = <optimized out>
data_end = <optimized out>
partname_begin = <optimized out>
partname_end = <optimized out>
mish_begin = <optimized out>
partname = '\000' <repeats 254 times>
data_size = <optimized out>
out_offs = <optimized out>
out_size = <optimized out>
in_offs = 0
in_size = <optimized out>
in_offs_add = 0
add_offs = 0
to_read = <optimized out>
to_write = <optimized out>
chunk = <optimized out>
reserved = " "
sztype = '\000' <repeats 63 times>
block_type = <optimized out>
szSignature = "koly"
rSignature = <optimized out>
__PRETTY_FUNCTION__ = "main"
#1 0x00007ffff7648ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe5a8) at libc-start.c:244
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 5332225185369646181,
4226116, 140737488348592, 0, 0, -5332225186142264219, -5332208876894198683},
mask_was_saved = 0}}, priv = {
pad = {0x0, 0x0, 0x40e7c0, 0x7fffffffe5b8}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 4253632}}}
not_first_call = <optimized out>
#2 0x0000000000407c6d in _start ()
No symbol table info available.
"""
Valgrind:
"""
==18211== Memcheck, a memory error detector
==18211== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==18211== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==18211== Command: dmg2img sample01.dmg
==18211==
dmg2img v1.6.5 (c) vu1tur (t...@vu1tur.eu.org)
sample01.dmg --> sample01.img
decompressing:
opening partition 0 ... ==18211== Invalid read of size 1
==18211== at 0x4046ED: main (dmg2img.h:81)
==18211== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18211==
==18211==
==18211== Process terminating with default action of signal 11 (SIGSEGV)
==18211== Access not within mapped region at address 0x0
==18211== at 0x4046ED: main (dmg2img.h:81)
==18211== If you believe this happened as a result of a stack
==18211== overflow in your program's main thread (unlikely but
==18211== possible), you can try to increase the size of the
==18211== main thread stack using the --main-stacksize= flag.
==18211== The main thread stack size used in this run was 8388608.
==18211==
==18211== HEAP SUMMARY:
==18211== in use at exit: 3,160,989 bytes in 10 blocks
==18211== total heap usage: 10 allocs, 0 frees, 3,160,989 bytes allocated
==18211==
==18211== LEAK SUMMARY:
==18211== definitely lost: 431 bytes in 1 blocks
==18211== indirectly lost: 0 bytes in 0 blocks
==18211== possibly lost: 0 bytes in 0 blocks
==18211== still reachable: 3,160,558 bytes in 9 blocks
==18211== suppressed: 0 bytes in 0 blocks
==18211== Rerun with --leak-check=full to see details of leaked memory
==18211==
==18211== For counts of detected and suppressed errors, rerun with: -v
==18211== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
Segmentation fault
"""
--
Henri Salo
sample01.dmg
Description: application/apple-diskimage
Signature: 0x6B6F6C79 (koly) Version: 0x00000004 HeaderSize: 0x00000200 Flags: 0x00000001 RunningDataForkOffset: 0x0000000000000000 DataForkOffset: 0x0000000000000000 DataForkLength: 0x000000000000469C RsrcForkOffset: 0x0000000000000000 RsrcForkLength: 0x0000000000000000 SegmentNumber: 0x00000000 SegmentCount: 0x00000000 SegmentID: 0x00000000000000000000000000000000 DataForkChecksumType: 0x00000000 DataForkChecksum: 0x00000000 XMLOffset: 0x000000000000469C XMLLength: 0x0000000000001E3C MasterChecksumType: 0x00000002 CRC-32 MasterChecksum: 0xEA52F304 ImageVariant: 0x00000001 SectorCount: 0x0000000000004BD1 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> <key>resource-fork</key> <dict> <key>blkx</key> <array> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>Protective Master Boot Record (MBR : 0)</string> <key>Data</key> <data> �WlzaAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAA AAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgsOF5gwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAAsAAAAAAAAAAAAAAAAAAAABAAAA AAAAFwwAAAAAAAAAH/////8AAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>-1</string> <key>Name</key> <string>Protective Master Boot Record (MBR : 0)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Header (Primary GPT Header : 1)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAA AAgIAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgMIi6gwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAAcAAAAAAAAAAAAAAAAAAAABAAAA AAAAFsAAAAAAAAAATP////8AAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>0</string> <key>Name</key> <string>GPT Header (Primary GPT Header : 1)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Partition Data (Primary GPT Table : 2)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAAgAAAAAAAAAgAAAAAAAAAAAA AAgIAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgQqxw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAE8AAAAAAAAAAAAAAAAAAAAgAAAA AAAAAAAAAAAAAAAAsf////8AAAAAAAAAAAAAACAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>1</string> <key>Name</key> <string>GPT Partition Data (Primary GPT Table : 2)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string> (Apple_Free : 3)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAIgAAAAAAAAAGAAAAAAAAAAAA AAgIAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACAAAAAgAAAE8AAAAAAAAAAAAAAAAAAAAGAAAA AAAAALEAAAAAAAAAAP////8AAAAAAAAAAAAAAAYAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>2</string> <key>Name</key> <string> (Apple_Free : 3)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>disk image (Apple_HFS : 4)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAKAAAAAAAAEuIAAAAAAAAAAAA AAgIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgyxW3agAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAALgAAABQAAAE8AAAAAAAAAAAAAAAAAAAfaAAAA AAAAMG8AAAAAAAAWLQAAAAAAAAAAAAAAAAAAB9oAAAAA AAAAJgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAgAAAAAAAAAAuAAAAAAAAAAAAAAAAAAAAAAgAAABQAA ACcAAAAAAAAK4AAAAAAAAASYAAAAAAAAASMAAAAAAAAP 7wAAAAIAAAAnAAAAAAAAD3gAAAAAAAADaAAAAAAAABcr AAAAAAAAAAAAAAACAAAAAAAAAAAAABLgAAAAAAAAOJgA AAAAAAAAAAAAAAAAAAAAgAAABQAAAA0AAAAAAABLeAAA AAAAAAAIAAAAAAAAERIAAAAAAAAARQAAAAIAAAANAAAA AAAAS4AAAAAAAAAABgAAAAAAAACxAAAAAAAAAACAAAAF AAAADQAAAAAAAEuGAAAAAAAAAAEAAAAAAAARVwAAAAAA AACFAAAAAgAAAA0AAAAAAABLhwAAAAAAAAABAAAAAAAA ALEAAAAAAAAAAP////8AAAAAAAAAAAAAS4gAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>3</string> <key>Name</key> <string>disk image (Apple_HFS : 4)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Partition Data (Backup GPT Table : 5)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAABLsAAAAAAAAAAgAAAAAAAAAAAA AAgIAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgQqxw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAA0AAAAAAAAAAAAAAAAAAAAgAAAA AAAAL5AAAAAAAAAAsf////8AAAAAAAAAAAAAACAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>4</string> <key>Name</key> <string>GPT Partition Data (Backup GPT Table : 5)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Header (Backup GPT Header : 6)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAABL0AAAAAAAAAABAAAAAAAAAAAA AAgIAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAg2iuEDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAA0AAAAAAAAAAAAAAAAAAAABAAAA AAAAANUAAAAAAAAATv////8AAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>5</string> <key>Name</key> <string>GPT Header (Backup GPT Header : 6)</string> </dict> </array> <key>plst</key> <array> <dict> <key>Attributes</key> <string>0x0050</string> <key>Data</key> <data> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA
