-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap buffer overflow is found in upng.c #3143
Comments
This was referenced May 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Our fuzzer found heap buffer overflow in upng.c in the current main(1e0953f).
Following is an output of valgrind.
vuln26-patch.png is in vuln26-patch.zip
libwebsockets/lib/misc/upng.c
Lines 464 to 465 in 1e0953f
The code is built on the assumption that
bypl
>bypp
, but by specifyingwidth
= 0, we can create a situation wherebypp
<bypl
.libwebsockets/lib/misc/upng.c
Line 485 in 1e0953f
libwebsockets/lib/misc/upng.c
Line 496 in 1e0953f
While the size of the heap area is specified using
bypl
as above, some writes are done based onbypp
, resulting in a heap BOF.For example, in the following code flow.
libwebsockets/lib/misc/upng.c
Line 503 in 1e0953f
libwebsockets/lib/misc/upng.c
Lines 262 to 264 in 1e0953f
libwebsockets/lib/misc/upng.c
Lines 208 to 210 in 1e0953f
OOB happens with the writing of
uf->recon[i]
Also, the PR of #3134 was found to be inadequate as a check for interger overflow.
For example, when
bypl * 2
causes interger overflow, heap BOF occurs as when width = 0The
bypp
check is in thedetermine_format
function, so we need a check forwidth
and a more rigorous check for integer overflow in theims
calculation.libwebsockets/lib/misc/upng.c
Lines 303 to 304 in 1e0953f
Ricerca Security, Inc.
The text was updated successfully, but these errors were encountered: