FuzzILBMLoader:decode_iff_chunks /src/serenity/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
Description
Hello, I am reporting a crash that was discovered while running OSS-Fuzz in a local environment.
I am providing the relevant logs and crash input data. If it's a duplicate or irrelevant, feel free to close it.
ASAN Log
root@731b0b1566be:/out/serenity# ./FuzzILBMLoader ./serenity--FuzzILBMLoader--crash-b3f10f12ece1f6ce61ffff76b3ba2e1e-2023-11-19-11\:28\:33
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1893576050
INFO: Loaded 1 modules (55266 inline 8-bit counters): 55266 [0xe86d90, 0xe94572),
INFO: Loaded 1 PC tables (55266 PCs): 55266 [0xe94578,0xf6c398),
./FuzzILBMLoader: Running 1 inputs 1 time(s) each.
Running: ./serenity--FuzzILBMLoader--crash-b3f10f12ece1f6ce61ffff76b3ba2e1e-2023-11-19-11:28:33
=================================================================
==316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000023f at pc 0x000000911ac1 bp 0x7fffb4528330 sp 0x7fffb4528328
READ of size 4 at 0x60600000023f thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
#0 0x911ac0 in load<unsigned int> /src/serenity/Meta/Lagom/../../AK/ByteReader.h:23:9
#1 0x911ac0 in load32 /src/serenity/Meta/Lagom/../../AK/ByteReader.h:44:9
#2 0x911ac0 in decode_iff_chunks /src/serenity/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp:318:103
#3 0x911ac0 in Gfx::ILBMImageDecoderPlugin::frame(unsigned long, AK::Optional<Gfx::Size<int> >) /src/serenity/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp:403:9
#4 0x8ce76a in LLVMFuzzerTestOneInput /src/serenity/Meta/Lagom/Fuzzers/FuzzILBMLoader.cpp:17:20
#5 0x79e503 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#6 0x789012 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#7 0x78e8bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#8 0x7b8a42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#9 0x7f3183f40082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x77f1dd in _start (/out/serenity/FuzzILBMLoader+0x77f1dd)
DEDUP_TOKEN: load<unsigned int>--load32--decode_iff_chunks
0x60600000023f is located 0 bytes to the right of 63-byte region [0x606000000200,0x60600000023f)
allocated by thread T0 here:
#0 0x88f876 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x80e277 in operator new(unsigned long) cxa_noexception.cpp
#2 0x789012 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#3 0x78e8bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#4 0x7b8a42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#5 0x7f3183f40082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
DEDUP_TOKEN: __interceptor_malloc--operator new(unsigned long)--fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/serenity/Meta/Lagom/../../AK/ByteReader.h:23:9 in load<unsigned int>
Shadow bytes around the buggy address:
0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
0x0c0c7fff8020: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff8030: fa fa fa fa 00 00 00 00 00 00 00 07 fa fa fa fa
=>0x0c0c7fff8040: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==316==ABORTINGserenity--FuzzILBMLoader--crash-b3f10f12ece1f6ce61ffff76b3ba2e1e-2023-11-19-112833.txt
SerenityOS / serenity
The Serenity Operating System 🐞
30.6k
Contributors get 100% of received funds after fees
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too