heap buffer overflow in sam2p #69
Description
The crash context
pwndbg> r
Starting program: /home/xxx/workplace/sam2p/sam2p-0.49.4/sam2p ./heapoverflow.pbm xxx.eps
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
Program received signal SIGSEGV, Segmentation fault.
0x000000000040f80a in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────
RAX 0x3e5a0
RBX 0x0
RCX 0x1f2d00
RDX 0x3e5a1
RDI 0x0
RSI 0xffffffff
R8 0xffffffff
R9 0x0
R10 0x7fffffffd500 ◂— 0x0
R11 0x7ffff7a94120 (free) ◂— mov rax, qword ptr [rip + 0x33edc1]
R12 0x666010 —▸ 0x447ed0 —▸ 0x42fb10 ◂— push r12
R13 0x669a60 —▸ 0x7ffff7dd37f8 (main_arena+152) —▸ 0x7ffff7dd37e8 (main_arena+136) —▸ 0x7ffff7dd37d8 (main_arena+120) —▸ 0x7ffff7dd37c8 (main_arena+104) ◂— ...
R14 0x7ffef7a11010 ◂— 0xffffff0000000000
R15 0x694cd0 ◂— 0x37ffffffff
RBP 0x0
RSP 0x7fffffffd7c0 —▸ 0x666010 —▸ 0x447ed0 —▸ 0x42fb10 ◂— push r12
RIP 0x40f80a ◂— movzx r9d, byte ptr [r13 + rax]
─────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────
► 0x40f80a movzx r9d, byte ptr [r13 + rax]
0x40f810 mov r8d, r9d
0x40f813 mov eax, ecx
0x40f815 add ecx, 1
0x40f818 not r8d
0x40f81b add r9d, r9d
0x40f81e sar r8b, 7
0x40f822 mov byte ptr [r14 + rax], r8b
0x40f826 mov r8d, dword ptr [r15]
0x40f829 cmp r8d, ecx
0x40f82c ja 0x40f800
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd7c0 —▸ 0x666010 —▸ 0x447ed0 —▸ 0x42fb10 ◂— push r12
01:0008│ 0x7fffffffd7c8 ◂— 0x37006638c0
02:0010│ 0x7fffffffd7d0 —▸ 0x7fffffffddd0 ◂— 0x200000002
03:0018│ 0x7fffffffd7d8 —▸ 0x694cd0 ◂— 0x37ffffffff
04:0020│ 0x7fffffffd7e0 —▸ 0x7fffffffda60 ◂— 0xffffffff00000037 /* '7' */
05:0028│ 0x7fffffffd7e8 —▸ 0x694d00 —▸ 0x666010 —▸ 0x447ed0 —▸ 0x42fb10 ◂— ...
06:0030│ 0x7fffffffd7f0 —▸ 0x666010 —▸ 0x447ed0 —▸ 0x42fb10 ◂— push r12
07:0038│ 0x7fffffffd7f8 —▸ 0x6638c0 —▸ 0x43e3eb ◂— push rax /* 'PNM' */
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
► f 0 40f80a
f 1 40fd74
f 2 41001a
f 3 42d1a8
f 4 401d61
f 5 40149d
f 6 7ffff7a32f45 __libc_start_main+245
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x6a8000)
pwndbg>
Sorry I don't know how to compile a debug version.
r13 is a pointer of heap, and rax is too large, so lead to overflow
cmdline
/home/xxx/workplace/sam2p/sam2p-0.49.4/sam2p ./heapoverflow.pbm xxx.eps
poc:
https://github.com/hac425xxx/fuzzdata/blob/master/heapoverflow.pbm