oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

libfpx: divide-by-zero in CDirVector::GetTable (dirfunc.hxx)

From: "Agostino Sarubbo" <ago () gentoo org>
Date: Thu, 17 Aug 2017 20:11:49 +0000
Description:
libfpx is a library for manipulating FlashPIX images.

I’m aware that the link to the upstream website does not work. I’m keeping it as well because in the future the 
upstream website could appear 
again.
Libfpx is not actively developed, I contacted the imagemagick project if they were available to patch security issues, 
but they said the they 
are only accepting patches and push new releases.
This issue was found using the gm command line tool of graphicsmagick.

The complete ASan output of the issue:

# gm identify $FILE
==11203==ERROR: AddressSanitizer: FPE on unknown address 0x7fc9f8a8a403 (pc 0x7fc9f8a8a403 bp 0x7fffbf287b28 sp 
0x7fffbf287ae0 T0)
    #0 0x7fc9f8a8a402 in CDirVector::GetTable(unsigned int, unsigned int, CDirSect**) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/h/dirfunc.hxx:250
    #1 0x7fc9f8a8a402 in CDirectory::GetDirEntry(unsigned int, unsigned int, CDirEntry**) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/dir.cxx:1102
    #2 0x7fc9f8a91cff in CDirectory::GetSize(unsigned int, unsigned int*) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/h/dirfunc.hxx:316
    #3 0x7fc9f8a91cff in CMStream::Init() 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/mstream.cxx:431
    #4 0x7fc9f8a912e7 in DllMultiStreamFromStream(CMStream**, ILockBytes**, unsigned int) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/msf.cxx:88
    #5 0x7fc9f8a9388b in CRootExposedDocFile::InitRoot(ILockBytes*, unsigned int, unsigned short, unsigned short**) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/rexpdf.cxx:124
    #6 0x7fc9f8a8bad6 in DfFromLB(ILockBytes*, unsigned short, unsigned int, unsigned short**, CExposedDocFile**, 
_XGUID*) /var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/docfile.cxx:66
    #7 0x7fc9f8a8bdfc in DfOpenStorageOnILockBytesW(ILockBytes*, IStorage*, unsigned int, unsigned short**, unsigned 
int, IStorage**, _XGUID*) /var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/docfile.cxx:277
    #8 0x7fc9f8a88878 in DfOpenStorageOnILockBytes(ILockBytes*, IStorage*, unsigned int, char**, unsigned int, 
IStorage**, _XGUID*) /var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/ascii.cxx:461
    #9 0x7fc9f8a9458e in StgOpenStorageOnILockBytes 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/storage.cxx:116
    #10 0x7fc9f8a9461a in StgOpenStorage 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/storage.cxx:70
    #11 0x7fc9f8a7008e in OLEFile::OpenOLEFile(_XGUID&, OLEStorage**, unsigned int) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/ole/olefiles.cpp:184
    #12 0x7fc9f8a70557 in OLEFile::GetCLSID(_XGUID*) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/ole/olefiles.cpp:346
    #13 0x7fc9f8a52d64 in PFlashPixImageView::PFlashPixImageView(FicNom&, char const*, mode_Ouverture, long, 
PSearchHookObject*, FPXStatus*) /var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/fpx/fpximgvw.cpp:389
    #14 0x7fc9f8a55c81 in OpenImageByFilename(FicNom&, char const*, unsigned long, unsigned int*, unsigned int*, 
unsigned int*, unsigned int*, FPXColorspace*, PFlashPixImageView**) 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/fpx/fpxlibio.cpp:1629
    #15 0x7fc9f8a55dc9 in FPX_OpenImageByFilename 
/var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/fpx/fpxlibio.cpp:1686
    #16 0x7fc9f8cc45e6 in ReadFPXImage 
/var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/coders/fpx.c:226:16
    #17 0x7fc9fe564e2b in ReadImage 
/var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #18 0x7fc9fe561e8c in PingImage 
/var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
    #19 0x7fc9fe42dae5 in IdentifyImageCommand 
/var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:8379:17
    #20 0x7fc9fe434065 in MagickCommand 
/var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #21 0x7fc9fe4df7fb in GMCommandSingle 
/var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #22 0x7fc9fe4dc931 in GMCommand 
/var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #23 0x7fc9fcd47680 in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #24 0x419cd8 in _init (/usr/bin/gm+0x419cd8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /var/tmp/portage/media-libs/libfpx-1.3.1_p6/work/libfpx-1.3.1-6/oless/h/dirfunc.hxx:250 
in CDirVector::GetTable(unsigned int, unsigned int, CDirSect**)
==11203==ABORTING

Affected version:
1.3.1_p6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-12924

Reproducer:
https://github.com/asarubbo/poc/blob/master/00313-libfpx-FPE-CDirVector_GetTable

Timeline:
2017-08-01: bug discovered
2017-08-09: blog post about the issue
2017-08-17: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core 
Infrastructure Initiative.

Permalink:
https://blogs.gentoo.org/ago/2017/08/09/libfpx-divide-by-zero-in-cdirvectorgettable-dirfunc-hxx/

--
Agostino Sarubbo
Gentoo Linux Developer
Previous By Date Next
Previous By Thread Next

Current thread: