Submit #304573: Simd Simd commit a1580a5fb13e2f8c78715afb0bc47e44519ccd32 buffer overflowinfo

Title	Simd Simd commit a1580a5fb13e2f8c78715afb0bc47e44519ccd32 buffer overflow
Description	## Description [Simd](https://github.com/ermig1979/Simd) has heap-buffer-overflow src/Simd/SimdMemoryStream.h:236:26 in SkipGap ## version ```shell commit a1580a5fb13e2f8c78715afb0bc47e44519ccd32 ``` ## harnss From https://github.com/google/oss-fuzz/blob/master/projects/simd/simd_load_fuzzer.cpp ```c++ #include <stdint.h> #include <string.h> #include <stdlib.h> #include "Test/TestUtils.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t data, size_t size){ if (size<5) { return 0; } Test::View::Format formats[4] = {Test::View::Gray8, Test::View::Bgr24, Test::View::Bgra32, Test::View::Rgb24}; for(int i=0; i<4; i++) { Test::View dst1; dst1.Load(data, size, formats[i]); } return 0; } ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1z0JBsZ-QR3RsuAf-uyit_ZGXCh0rEvFq?usp=sharing ```shell $ ./simd_load_fuzzer 0a9e9a2b-1f53-4933-8774-aa1d7b630ca6 INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 3608156716 INFO: Loaded 1 modules (400161 inline 8-bit counters): 400161 [0xff2cb90, 0xff8e6b1), INFO: Loaded 1 PC tables (400161 PCs): 400161 [0xff8e6b8,0x105a98c8), ./simd_load_fuzzer: Running 1 inputs 1 time(s) each. Running: 0a9e9a2b-1f53-4933-8774-aa1d7b630ca6 ================================================================= ==1137469==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x00000072a88a bp 0x7fffffffd770 sp 0x7fffffffd768 READ of size 1 at 0x6020000000c0 thread T0 #0 0x72a889 in SkipGap /src/Simd/prj/cmake/../../src/Simd/SimdMemoryStream.h:236:26 #1 0x72a889 in ReadUnsigned<unsigned int> /src/Simd/prj/cmake/../../src/Simd/SimdMemoryStream.h:196:18 #2 0x72a889 in Simd::Base::ImagePxmLoader::ReadHeader(unsigned long) /src/Simd/src/Simd/SimdBaseImageLoad.cpp:116:90 #3 0x72cf7a in Simd::Base::ImagePgmBinLoader::FromStream() /src/Simd/src/Simd/SimdBaseImageLoad.cpp:208:18 #4 0x5ad5916 in Simd::Avx512bw::ImageLoadFromMemory(unsigned char const, unsigned long, unsigned long, unsigned long, unsigned long, SimdPixelFormatType) /src/Simd/src/Simd/SimdAvx512bwImageLoad.cpp:146:33 #5 0x592545 in SimdImageLoadFromMemory /src/Simd/src/Simd/SimdLib.cpp:2747:12 #6 0x57f256 in Load /src/Simd/src/Simd/SimdView.hpp:1284:29 #7 0x57f256 in LLVMFuzzerTestOneInput /src/simd_load_fuzzer.cpp:29:10 #8 0x450a33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #9 0x42bbc2 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #10 0x436ca1 in fuzzer::FuzzerDriver(int, char**, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #11 0x46add2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #13 0x421d8d in _start (/home/zhangwei28/80result/simd/simd_load_fuzzer+0x421d8d) 0x6020000000c0 is located 0 bytes to the right of 16-byte region [0x6020000000b0,0x6020000000c0) allocated by thread T0 here: #0 0x541ca6 in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x4c06a7 in operator new(unsigned long) cxa_noexception.cpp #2 0x42bbc2 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #3 0x436ca1 in fuzzer::FuzzerDriver(int, char**, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #4 0x46add2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #5 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/Simd/prj/cmake/../../src/Simd/SimdMemoryStream.h:236:26 in SkipGap Shadow bytes around the buggy address: 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa =>0x0c047fff8010: fa fa 00 00 fa fa 00 00[fa]fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1137469==ABORTING ```
Source	⚠️ https://drive.google.com/drive/folders/1z0JBsZ-QR3RsuAf-uyit_ZGXCh0rEvFq?usp=sharing
User	Anonymous User
Submission	03/26/2024 09:07 (2 years ago)
Moderation	04/02/2024 19:52 (7 days later)
Status	Duplicate
VulDB entry	259054 [ermig1979 Simd up to 6.0.134 SimdMemoryStream.h ReadUnsigned heap-based overflow]
Points	0

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!