You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi~,I did some fuzzy testing and found some bugs/vulnerabilities on hicolor v0.5.0. I hope these findings will help improve software quality.
These bugs/vulnerabilities are mainly caused by unsafe component cute_png.h v1.05. According to my analysis, Because the compilation environment of hicolor is inconsistent with the official compilation environment of cute_png.h v1.05, not all bugs in cute_png.h affect hicolor. The bugs/vulnerabilities listed below can truly affect hicolor v0.5.0.
All of the bugs/vulnerablities are triggered with no assertion raised. This means that these bugs/vulnerabilities are unexpected behaviors of the program.
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1019 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample6.png ./output.hic && rm -f ./output.hic
Screen-shot
heapof-r65280-cp_stored-cute_png-543c2
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_stored() at line 543 of vendor/cute_png.h v1.05. What's more, sample10.png provided as attack vector causes double-free heap memory corruption in function cp_load_png_mem() at line 1194 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample10.png ./output.hic && rm -f ./output.hic
Screen-shot
heap-buffer-overflow
double-free heap memory corruption
heapof-w1-cp_block-cute_png-623c12
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 623 of vendor/cute_png.h v1.05. What's more, sample11.png provided as attack vector causes double-free heap memory corruption in function cp_load_png() at line 1216 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample11.png ./output.hic && rm -f ./output.hic
Screen-shot
heap-buffer-overflow
double-free heap memory corruption
heapof-w1-png_quantize-cli-220c32
Description
heap-buffer-overflow bug/vulnerability caused by write access found in function png_quantize() at line 220 of cli.c v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 644 of vendor/cute_png.h v1.05. What's more, sample12.png provided as attack vector causes unmap invalid pointer memory corruption in function cp_load_png_mem() at line 1189 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample12.png ./output.hic && rm -f ./output.hic
Screen-shot
heap-buffer-overflow
unmap invalid pointer
heapof-w98-cp_block-5c0-cute_png-642c5
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 642 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample13.png ./output.hic && rm -f ./output.hic
Screen-shot
stkof-w133-cp_dynamic-cute_png-603
Description
stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 603 of vendor/cute_png.h v1.05. It will lead to control flow hijacking.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample16.png ./output.hic && rm -f ./output.hic
Screen-shot
The text was updated successfully, but these errors were encountered:
Thanks for the report. I will look into the stack overflow in png_quantize. As for cute_png, like RandyGaul/cute_headers#381 (comment) says, it is not designed for untrusted input. I should note this in the readme. I may eventually address the insecurity of cute_png by replacing it with another library.
An accessibility suggestion: it would be better if your screenshots were code blocks. If you don't want code blocks making your issue too long, hide them inside <details> tags.
Summary
Hi~,I did some fuzzy testing and found some bugs/vulnerabilities on hicolor v0.5.0. I hope these findings will help improve software quality.
These bugs/vulnerabilities are mainly caused by unsafe component cute_png.h v1.05. According to my analysis, Because the compilation environment of hicolor is inconsistent with the official compilation environment of cute_png.h v1.05, not all bugs in cute_png.h affect hicolor. The bugs/vulnerabilities listed below can truly affect hicolor v0.5.0.
All of the bugs/vulnerablities are triggered with no assertion raised. This means that these bugs/vulnerabilities are unexpected behaviors of the program.
hicolor: https://github.com/dbohdan/hicolor
cute_headers: https://github.com/RandyGaul/cute_headers
See also https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor
heapof-r1-cp_unfilter-cute_png-1019c11
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1019 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample6.png ./output.hic && rm -f ./output.hic
Screen-shot
heapof-r65280-cp_stored-cute_png-543c2
Description
Heap-buffer-flow bug/vulnerability caused by read access found in function cp_stored() at line 543 of vendor/cute_png.h v1.05. What's more, sample10.png provided as attack vector causes double-free heap memory corruption in function cp_load_png_mem() at line 1194 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample10.png ./output.hic && rm -f ./output.hic
Screen-shot
heap-buffer-overflow
double-free heap memory corruption
heapof-w1-cp_block-cute_png-623c12
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 623 of vendor/cute_png.h v1.05. What's more, sample11.png provided as attack vector causes double-free heap memory corruption in function cp_load_png() at line 1216 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample11.png ./output.hic && rm -f ./output.hic
Screen-shot
heap-buffer-overflow
double-free heap memory corruption
heapof-w1-png_quantize-cli-220c32
Description
heap-buffer-overflow bug/vulnerability caused by write access found in function png_quantize() at line 220 of cli.c v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor quantize -n ./poc/sample18.png ./output.hic && rm -f ./output.hic
Screen-shot
heapof-w16-cp_block-cute_png-644c37
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 644 of vendor/cute_png.h v1.05. What's more, sample12.png provided as attack vector causes unmap invalid pointer memory corruption in function cp_load_png_mem() at line 1189 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample12.png ./output.hic && rm -f ./output.hic
Screen-shot
heap-buffer-overflow
unmap invalid pointer
heapof-w98-cp_block-5c0-cute_png-642c5
Description
Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 642 of vendor/cute_png.h v1.05.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample13.png ./output.hic && rm -f ./output.hic
Screen-shot
stkof-w133-cp_dynamic-cute_png-603
Description
stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 603 of vendor/cute_png.h v1.05. It will lead to control flow hijacking.
Affected version: hicolor v0.5.0
Reproduction
Environment:
Operating system version: Ubuntu 22.04
Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
Compile hicolor with ASAN and run the following command in bash shell:
hicolor encode -a ./poc/sample16.png ./output.hic && rm -f ./output.hic
Screen-shot
The text was updated successfully, but these errors were encountered: