[hugin-ptx] libpano13-bin: out of bounds read in PTinfo

Thu, 22 Apr 2021 10:05:02 -0700 

In libpano13-2.9.20, there is an out-of-bounds read bug.
The bug in function panoParserFindOLine() in parser.c.

line 2494 called strchr, the return pointer is null and then `ptr++` to 0x1.
```
      2494      ptr = strchr(ptr, '\n');
             // ptr=0x00007fffffffe1f8  →  0x0000000000000000
 → 2495      ptr++;
```


So at line 2467, the *ptr(0x01) cannot access and resulted in an out of 
bounds read and crash.

```
// ptr=0x00007fffffffe1f8  →  0x0000000000000001
 → 2466      while (ptr != NULL) {
●  2467        if (*ptr == 'o') {
```
the backtrace:

```
──── source:parser.c+2467 ────────────
   2462      int count = 0;
   2463
   2464
   2465      ptr = script;
   2466      while (ptr != NULL) {
                      // ptr=0x00007fffffffe1f8  →  0x0000000000000001
●→ 2467      if (*ptr == 'o') {
   2468          if (count == index) {
   2469          // we have found it
   2470          int length;
   2471          char *temp;
   2472          char *result;
───────── threads ──────────────────
[#0] Id 1, Name: "PTinfo", stopped 0x7ffff7f4effa in panoParserFindOLine 
(), reason: SIGSEGV
─────── trace ─────────────────
[#0] 0x7ffff7f4effa → panoParserFindOLine(script=0x55555555c030 "\006", 
index=0x0)
[#1] 0x7ffff7fa4019 → panoTiffDisplayInfo(fileName=0x5555555596b0 
"./crashes/id:000000,sig:11,src:000003,time:5466,op:flip1,pos:4679")
[#2] 0x555555555410 → main(argc=0x2, argv=0x7fffffffe388)
───────────────────────────────
```

I am not sure the following patch is or not suitable.

```
--- a/parser.c
+++ b/parser.c
@@ -2492,6 +2492,10 @@
     }
     // find next beginning of line
     ptr = strchr(ptr, '\n');
+    if(!ptr){
+       PrintError("Error parsing next line.");
+       return NULL;;
+    }
     ptr++;

     }

```

poc file:  attached


reporter: chiba in topsec alphalab


-- 
A list of frequently asked questions is available at: 
http://wiki.panotools.org/Hugin_FAQ
--- 
You received this message because you are subscribed to the Google Groups 
"hugin and other free panoramic software" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to hugin-ptx+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/hugin-ptx/bcc1716e-1557-4148-b915-2c441e5a02ddn%40googlegroups.com.

Reply via email to