Submit #304572: Simd Simd commit a1580a5fb13e2f8c78715afb0bc47e44519ccd32 heap-buffer-overflowinfo

Title	Simd Simd commit a1580a5fb13e2f8c78715afb0bc47e44519ccd32 heap-buffer-overflow
Description	## Description [Simd](https://github.com/ermig1979/Simd) has heap-buffer-overflow src/Simd/SimdMemoryStream.h:199:27 in ReadUnsigned<unsigned char> ## version ```shell commit a1580a5fb13e2f8c78715afb0bc47e44519ccd32 ``` ## harnss From https://github.com/google/oss-fuzz/blob/master/projects/simd/simd_load_fuzzer.cpp ```c++ #include <stdint.h> #include <string.h> #include <stdlib.h> #include "Test/TestUtils.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t data, size_t size){ if (size<5) { return 0; } Test::View::Format formats[4] = {Test::View::Gray8, Test::View::Bgr24, Test::View::Bgra32, Test::View::Rgb24}; for(int i=0; i<4; i++) { Test::View dst1; dst1.Load(data, size, formats[i]); } return 0; } ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1z0JBsZ-QR3RsuAf-uyit_ZGXCh0rEvFq?usp=sharing ```shell $ ./simd_load_fuzzer f3d3a0b9-f889-4853-86b3-6cd46a34fc3e INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 2587314779 INFO: Loaded 1 modules (400161 inline 8-bit counters): 400161 [0xff2cb90, 0xff8e6b1), INFO: Loaded 1 PC tables (400161 PCs): 400161 [0xff8e6b8,0x105a98c8), ./simd_load_fuzzer: Running 1 inputs 1 time(s) each. Running: f3d3a0b9-f889-4853-86b3-6cd46a34fc3e ================================================================= ==1101636==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000b6f at pc 0x00000072e654 bp 0x7fffffffd920 sp 0x7fffffffd918 READ of size 1 at 0x61a000000b6f thread T0 #0 0x72e653 in ReadUnsigned<unsigned char> /src/Simd/prj/cmake/../../src/Simd/SimdMemoryStream.h:199:27 #1 0x72e653 in Simd::Base::ImagePpmTxtLoader::FromStream() /src/Simd/src/Simd/SimdBaseImageLoad.cpp:264:38 #2 0x5ad5916 in Simd::Avx512bw::ImageLoadFromMemory(unsigned char const, unsigned long, unsigned long, unsigned long, unsigned long, SimdPixelFormatType) /src/Simd/src/Simd/SimdAvx512bwImageLoad.cpp:146:33 #3 0x592545 in SimdImageLoadFromMemory /src/Simd/src/Simd/SimdLib.cpp:2747:12 #4 0x57f256 in Load /src/Simd/src/Simd/SimdView.hpp:1284:29 #5 0x57f256 in LLVMFuzzerTestOneInput /src/simd_load_fuzzer.cpp:29:10 #6 0x450a33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x42bbc2 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #8 0x436ca1 in fuzzer::FuzzerDriver(int, char**, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #9 0x46add2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x421d8d in _start (/home/zhangwei28/80result/simd/simd_load_fuzzer+0x421d8d) 0x61a000000b6f is located 0 bytes to the right of 1263-byte region [0x61a000000680,0x61a000000b6f) allocated by thread T0 here: #0 0x541ca6 in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x4c06a7 in operator new(unsigned long) cxa_noexception.cpp #2 0x42bbc2 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #3 0x436ca1 in fuzzer::FuzzerDriver(int, char**, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #4 0x46add2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #5 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/Simd/prj/cmake/../../src/Simd/SimdMemoryStream.h:199:27 in ReadUnsigned<unsigned char> Shadow bytes around the buggy address: 0x0c347fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa fa 0x0c347fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1101636==ABORTING ```
Source	⚠️ https://drive.google.com/drive/folders/1z0JBsZ-QR3RsuAf-uyit_ZGXCh0rEvFq?usp=sharing
Submission	03/26/2024 09:07 (1 month ago)
Moderation	04/02/2024 18:45 (7 days later)
Accepted	Accepted
VulDB Entry	VDB-259054

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!