Skip to content

Global-buffer-overflow READ 4 · LibRaw::parseSigmaMakernote #309

New issue
New issue
Closed
Closed
Global-buffer-overflow READ 4 · LibRaw::parseSigmaMakernote#309
@alex

Description

@alex
alex
opened on Jun 28, 2020

Found at 20ad21c

clusterfuzz-testcase-minimized-encoder_dng_fuzzer-5693021307011072.zip


==111682==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000019d66c8 at pc 0x0000014a907c bp 0x7ffce53f29f0 sp 0x7ffce53f29e8
--
  | READ of size 4 at 0x0000019d66c8 thread T0
  | SCARINESS: 17 (4-byte-read-global-buffer-overflow)
  | #0 0x14a907b in LibRaw::parseSigmaMakernote(int, int, unsigned int) libraw/src/metadata/makernotes.cpp:47:17
  | #1 0x14ad282 in LibRaw::parse_makernote(int, int) libraw/src/metadata/makernotes.cpp:413:5
  | #2 0x148f600 in LibRaw::parse_exif(int) libraw/src/metadata/exif_gps.cpp:289:7
  | #3 0x146c229 in LibRaw::parse_tiff_ifd(int) libraw/src/metadata/tiff.cpp:741:7
  | #4 0x147b52c in LibRaw::parse_tiff(int) libraw/src/metadata/tiff.cpp:1486:9
  | #5 0x141ea3e in LibRaw::identify() libraw/src/metadata/identify.cpp:494:14
  | #6 0x1356472 in LibRaw::open_datastream(LibRaw_abstract_datastream*) libraw/src/utils/open.cpp:390:4
  | #7 0x13550ea in LibRaw::open_file(char const*, long long) libraw/src/utils/open.cpp:61:13
  | #8 0x132cc60 in libraw_open_file libraw/src/libraw_c_api.cpp:74:16
  | #9 0x8cdcfd in ReadDNGImage imagemagick/coders/dng.c:416:13
  | #10 0x60ed4e in ReadImage imagemagick/MagickCore/constitute.c:553:15
  | #11 0x5a5b5c in BlobToImage imagemagick/MagickCore/blob.c:497:9
  | #12 0x4dd754 in Magick::Image::read(Magick::Blob const&) imagemagick/Magick++/lib/Image.cpp:4028:12
  | #13 0x4cb5d6 in LLVMFuzzerTestOneInput imagemagick/Magick++/fuzz/encoder_fuzzer.cc:49:11
  | #14 0x4cc9cd in main
  | #15 0x7f3f43ed882f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
  | #16 0x420d68 in _start
  |  
  | 0x0000019d66c8 is located 56 bytes to the left of global variable '<string literal>' defined in 'src/metadata/makernotes.cpp:68:22' (0x19d6700) of size 6
  | '<string literal>' is ascii string 'NIKON'
  | 0x0000019d66c8 is located 0 bytes to the right of global variable '__const._ZN6LibRaw19parseSigmaMakernoteEiij.wb_table1' defined in 'src/metadata/makernotes.cpp' (0x19d66a0) of size 40
  | SUMMARY: AddressSanitizer: global-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-honggfuzz_imagemagick_6c758f2561112e17568a05126726c2ca513bfabc/revisions/encoder_dng_fuzzer+0x14a907b)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions