Package: dmg2img Version: 1.6.5-1 Severity: important Tags: security Following attached sample file crashes dmg2img. Sample file is fuzzed with american fuzzy lop <http://lcamtuf.coredump.cx/afl/>. Feel free to contact me in case you need more information. I was unable to find upstream bug tracker for this software.
6af60c14615c625c893055639e43588b0a2ada27 sample03.dmg
gdb:
"""
(gdb) bt full
#0 convert_char8 (c=0x18 <Address 0x18 out of bounds>) at dmg2img.h:87
No locals.
#1 0x000000000040652c in main (argc=<optimized out>, argv=<optimized out>) at
dmg2img.c:602
bi = 2
i = <optimized out>
err = <optimized out>
partnum = 2
tmp = 0x7ffff7ed8010
"x\001c`\030\005C8\004\376\375\377\377\016\210\031\201^\270\340M\272?BW\001"
otmp = 0x7ffff7529010 ""
dtmp = 0x7ffff7428010 ""
input_file = <optimized out>
output_file = 0x610010 "sample03.img"
plist = 0x6106f0 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE
plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\";>\n<plist
version=\"1.0\">\n<dict>\n\t<key>resource-fork</key>\n\t<d"...
blkx = 0x612540
"<key>blkx</key>\n\t\t<array>\n\t\t\t<dict>\n\t\t\t\t<key>Attributes</key>\n\t\t\t\t<string>0x0050</string>\n\t\t\t\t<key>CFName</key>\n\t\t\t\t<string>Protective
Master Boot Record (MBR : 0)</string>\n\t\t\t\t<key>Data</key>\n\t\t\t\t<da"...
blkx_size = <optimized out>
parts = 0x613bb0
data_begin = <optimized out>
data_end = <optimized out>
partname_begin = <optimized out>
partname_end = <optimized out>
mish_begin = <optimized out>
partname = "Protective Master Boot Record (MBR : 0)", '\000' <repeats
215 times>
data_size = <optimized out>
out_offs = 512
out_size = <optimized out>
in_offs = 0
in_size = <optimized out>
in_offs_add = 5931
add_offs = 0
to_read = <optimized out>
to_write = <optimized out>
chunk = <optimized out>
reserved = "\000\000\000\000"
sztype = "terminator", '\000' <repeats 53 times>
block_type = <optimized out>
szSignature = "koly"
rSignature = <optimized out>
__PRETTY_FUNCTION__ = "main"
#2 0x00007ffff7648ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeae8) at
libc-start.c:244
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 182417149197695999,
4226116, 140737488349936, 0, 0, -182417149843850241, -182398364605858817},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x40e7c0, 0x7fffffffeaf8}, data
= {
prev = 0x0, cleanup = 0x0, canceltype = 4253632}}}
not_first_call = <optimized out>
#3 0x0000000000407c6d in _start ()
No symbol table info available.
"""
valgrind:
"""
==22115== Memcheck, a memory error detector
==22115== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==22115== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==22115== Command: /home/fgeek/temp/dmg2img/usr/bin/dmg2img -v -V -d
sample03.dmg
==22115==
dmg2img v1.6.5 (c) vu1tur (t...@vu1tur.eu.org)
sample03.dmg --> sample03.img
Debug info will be written to dmg2img.log
reading property list, 7740 bytes from address 18076 ...
bWlzaAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAA
AAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAIAAAAgsOF5gwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAACgAAABQAAAAsAAAAAAAAAAAAAAAAAAAABAAAA
AAAAFwwAAAAAAAAAH/////8AAAAAAAAAAAAAAAEAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA=
partition 0: begin=203, size=430, decoded=284
I bWlzaAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAA
AAgIAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAIAAAAgMIi6gwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAACgAAABQAAAAcAAAAAAAAAAAAAAAAAAAABAAAA
AAAAFsAAAAAAAAAATP////8AAAAAAAAAAAAAAAEAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA=
decompressing:
opening partition 0 ...
offset = 0 block_type = 0x80000005
zlib inflate (in_addr=5900 in_size=31 out_addr=0 out_size=512)
[1] 50.00%
offset = 40 block_type = 0xffffffff
==22115== Invalid read of size 1
==22115== at 0x407ED8: convert_char8 (dmg2img.h:81)
==22115== by 0x40652B: main (dmg2img.c:602)
==22115== Address 0x18 is not stack'd, malloc'd or (recently) free'd
==22115==
==22115==
==22115== Process terminating with default action of signal 11 (SIGSEGV)
==22115== Access not within mapped region at address 0x18
==22115== at 0x407ED8: convert_char8 (dmg2img.h:81)
==22115== by 0x40652B: main (dmg2img.c:602)
==22115== If you believe this happened as a result of a stack
==22115== overflow in your program's main thread (unlikely but
==22115== possible), you can try to increase the size of the
==22115== main thread stack using the --main-stacksize= flag.
==22115== The main thread stack size used in this run was 8388608.
==22115==
==22115== HEAP SUMMARY:
==22115== in use at exit: 3,161,849 bytes in 12 blocks
==22115== total heap usage: 15 allocs, 3 frees, 3,169,644 bytes allocated
==22115==
==22115== LEAK SUMMARY:
==22115== definitely lost: 511 bytes in 2 blocks
==22115== indirectly lost: 0 bytes in 0 blocks
==22115== possibly lost: 0 bytes in 0 blocks
==22115== still reachable: 3,161,338 bytes in 10 blocks
==22115== suppressed: 0 bytes in 0 blocks
==22115== Rerun with --leak-check=full to see details of leaked memory
==22115==
==22115== For counts of detected and suppressed errors, rerun with: -v
==22115== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
Segmentation fault
"""
--
Henri Salo
sample03.dmg
Description: application/apple-diskimage
Signature: 0x6B6F6C79 (koly) Version: 0x00000004 HeaderSize: 0x00000200 Flags: 0x00000001 RunningDataForkOffset: 0x0000000000000000 DataForkOffset: 0x0000000000000000 DataForkLength: 0x000000000000469C RsrcForkOffset: 0x0000000000000000 RsrcForkLength: 0x0000000000000000 SegmentNumber: 0x00000000 SegmentCount: 0x00000000 SegmentID: 0x00000000000000000000000000000000 DataForkChecksumType: 0x00000000 DataForkChecksum: 0x00000000 XMLOffset: 0x000000000000469C XMLLength: 0x0000000000001E3C MasterChecksumType: 0x00000002 CRC-32 MasterChecksum: 0xEA52F304 ImageVariant: 0x00000001 SectorCount: 0x0000000000004BD1 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> <key>resource-fork</key> <dict> <key>blkx</key> <array> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>Protective Master Boot Record (MBR : 0)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAA AAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgsOF5gwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAAsAAAAAAAAAAAAAAAAAAAABAAAA AAAAFwwAAAAAAAAAH/////8AAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>-1</string> <key>Name</key> <string>Protective Master Boot Record (MBR : 0)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Header (Primary GPT Header : 1)</string> <key>Data</key> <data> I bWlzaAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAA AAgIAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgMIi6gwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAAcAAAAAAAAAAAAAAAAAAAABAAAA AAAAFsAAAAAAAAAATP////8AAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>0</string> <key>Name</key> <string>GPT Header (Primary GPT Header : 1)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Partition Data (Primary GPT Table : 2)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAAgAAAAAAAAAgAAAAAAAAAAAA AAgIAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgQqxw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAE8AAAAAAAAAAAAAAAAAAAAgAAAA AAAAAAAAAAAAAAAAsf////8AAAAAAAAAAAAAACAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>1</string> <key>Name</key> <string>GPT Partition Data (Primary GPT Table : 2)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string> (Apple_Free : 3)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAIgAAAAAAAAAGAAAAAAAAAAAA AAgIAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACAAAAAgAAAE8AAAAAAAAAAAAAAAAAAAAGAAAA AAAAALEAAAAAAAAAAP////8AAAAAAAAAAAAAAAYAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>2</string> <key>Name</key> <string> (Apple_Free : 3)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>disk image (Apple_HFS : 4)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAAAAKAAAAAAAAEuIAAAAAAAAAAAA AAgIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgyxW3agAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAALgAAABQAAAE8AAAAAAAAAAAAAAAAAAAfaAAAA AAAAMG8AAAAAAAAWLQAAAAAAAAAAAAAAAAAAB9oAAAAA AAAAJgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAgAAAAAAAAAAuAAAAAAAAAAAAAAAAAAAAAAgAAABQAA ACcAAAAAAAAK4AAAAAAAAASYAAAAAAAAASMAAAAAAAAP 7wAAAAIAAAAnAAAAAAAAD3gAAAAAAAADaAAAAAAAABcr AAAAAAAAAAAAAAACAAAAAAAAAAAAABLgAAAAAAAAOJgA AAAAAAAAAAAAAAAAAAAAgAAABQAAAA0AAAAAAABLeAAA AAAAAAAIAAAAAAAAERIAAAAAAAAARQAAAAIAAAANAAAA AAAAS4AAAAAAAAAABgAAAAAAAACxAAAAAAAAAACAAAAF AAAADQAAAAAAAEuGAAAAAAAAAAEAAAAAAAARVwAAAAAA AACFAAAAAgAAAA0AAAAAAABLhwAAAAAAAAABAAAAAAAA ALEAAAAAAAAAAP////8AAAAAAAAAAAAAS4gAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>3</string> <key>Name</key> <string>disk image (Apple_HFS : 4)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Partition Data (Backup GPT Table : 5)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAABLsAAAAAAAAAAgAAAAAAAAAAAA AAgIAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAgQqxw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAA0AAAAAAAAAAAAAAAAAAAAgAAAA AAAAL5AAAAAAAAAAsf////8AAAAAAAAAAAAAACAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>4</string> <key>Name</key> <string>GPT Partition Data (Backup GPT Table : 5)</string> </dict> <dict> <key>Attributes</key> <string>0x0050</string> <key>CFName</key> <string>GPT Header (Backup GPT Header : 6)</string> <key>Data</key> <data> bWlzaAAAAAEAAAAAAABL0AAAAAAAAAABAAAAAAAAAAAA AAgIAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAIAAAAg2iuEDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACgAAABQAAAA0AAAAAAAAAAAAAAAAAAAABAAAA AAAAANUAAAAAAAAATv////8AAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA= </data> <key>ID</key> <string>5</string> <key>Name</key> <string>GPT Header (Backup GPT Header : 6)</string> </dict> </array> <key>plst</key> <array> <dict> <key>Attributes</key> <string>0x0050</string> <key>Data</key> <data> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA </data> <key>ID</key> <string>0</string> <key>Name</key> <string></string> </dict> </array> </dict> </dict> </plist> run..... ..type.... ..reserved ..sectorStart..... ..sectorCount..... ..compOffset...... ..compLength...... 0x00000000 0x80000005 0x0000000B 0x0000000000000000 0x0000000000000001 0x000000000000170C 0x000000000000001F zlib 0x00000001 0xFFFFFFFF 0x00000000 0x0000000000000001 0x0000000000000000 0x0000000000000000 0x0000000000000000 terminator
