[Pkg-libburnia-devel] Bug#872475: libisofs6: buffer under-read in read_rr_SL()

Jakub Wilk jwilk at jwilk.net
Thu Aug 17 17:35:48 UTC 2017 

Package: libisofs6
Version: 1.4.6-1

The read_rr_SL() function contains the following code:

   size_t size = strlen(*dest);
   *dest = realloc(*dest, strlen(*dest) + len + 2);
   if (*dest == NULL) {
       return ISO_OUT_OF_MEM;
   }
   /* it is a new compoenent, add the '/' */
   if ((*dest)[size-1] != '/') {
       (*dest)[size] = '/';
       (*dest)[size+1] = '\0';
   }

This works correctly if the *dest string is non-empty.
But if the string was empty, then size would be 0, and this would try to read 
one byte before the allocated buffer.

The bug can be reproduced with the attached ISO image:

   $ valgrind xorriso -indev underread.iso -ls
   ...
   ==7162== Invalid read of size 1
   ==7162==    at 0x49A96AC: read_rr_SL (rockridge_read.c:382)
   ==7162==    by 0x49855FE: iso_file_source_new_ifs.constprop.36 (fs_image.c:1688)
   ==7162==    by 0x4985EC1: ifs_get_root (fs_image.c:2140)
   ==7162==    by 0x498D964: iso_image_import (fs_image.c:5736)
   ==7162==    by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
   ==7162==    by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
   ==7162==    by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
   ==7162==    by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
   ==7162==    by 0x108BA6: main (xorriso_main.c:265)
   ==7162==  Address 0x510eaef is 1 bytes before a block of size 3 alloc'd
   ==7162==    at 0x483047C: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   ==7162==    by 0x49A968E: read_rr_SL (rockridge_read.c:377)
   ==7162==    by 0x49855FE: iso_file_source_new_ifs.constprop.36 (fs_image.c:1688)
   ==7162==    by 0x4985EC1: ifs_get_root (fs_image.c:2140)
   ==7162==    by 0x498D964: iso_image_import (fs_image.c:5736)
   ==7162==    by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
   ==7162==    by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
   ==7162==    by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
   ==7162==    by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
   ==7162==    by 0x108BA6: main (xorriso_main.c:265)
   ...

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libisofs6 depends on:
ii  libacl1  2.2.52-3+b1
ii  libc6    2.24-14
ii  libjte1  1.20-2+b1
ii  zlib1g   1:1.2.8.dfsg-5

-- 
Jakub Wilk

More information about the Pkg-libburnia-devel mailing list