[Pkg-libburnia-devel] Bug#872545: libisofs6: heap-based buffer overflow in read_aaip_AL()
Jakub Wilk
jwilk at jwilk.net
Fri Aug 18 10:55:41 UTC 2017
Package: libisofs6
Version: 1.4.6-1
xorriso crashes on the attached ISO file:
$ xorriso -indev overflow.iso -ls
xorriso 1.4.6 : RockRidge filesystem manipulator, libburnia project.
libisoburn: WARNING : ISO image size 808464432s larger than readable size 20s
xorriso : NOTE : Loading ISO image tree from LBA 0
UNIX-SIGNAL: SIGSEGV errno= 2
xorriso : ABORT : Trying to shut down drive and library
xorriso : ABORT : Wait the normal burning time before any kill -9
*** Error in `xorriso': malloc(): memory corruption: 0x57a08340 ***
...
Aborted
Valgrind says it's a heap-based buffer overflow:
Invalid write of size 1
at 0x49A9B0F: read_aaip_AL (rockridge_read.c:564)
by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
by 0x49865CE: read_dir (fs_image.c:647)
by 0x49865CE: ifs_open (fs_image.c:718)
by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
by 0x498DE91: iso_image_import (fs_image.c:5868)
by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
by 0x108BA6: main (xorriso_main.c:265)
Address 0x51117cc is 0 bytes after a block of size 4 alloc'd
at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
by 0x49865CE: read_dir (fs_image.c:647)
by 0x49865CE: ifs_open (fs_image.c:718)
by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
by 0x498DE91: iso_image_import (fs_image.c:5868)
by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
by 0x108BA6: main (xorriso_main.c:265)
Invalid write of size 4
at 0x49A9B2B: memcpy (string3.h:53)
by 0x49A9B2B: read_aaip_AL (rockridge_read.c:567)
by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
by 0x49865CE: read_dir (fs_image.c:647)
by 0x49865CE: ifs_open (fs_image.c:718)
by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
by 0x498DE91: iso_image_import (fs_image.c:5868)
by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
by 0x108BA6: main (xorriso_main.c:265)
Address 0x51117cd is 1 bytes after a block of size 4 alloc'd
at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
by 0x49865CE: read_dir (fs_image.c:647)
by 0x49865CE: ifs_open (fs_image.c:718)
by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
by 0x498DE91: iso_image_import (fs_image.c:5868)
by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
by 0x108BA6: main (xorriso_main.c:265)
Invalid write of size 4
at 0x49A9B42: memcpy (string3.h:53)
by 0x49A9B42: read_aaip_AL (rockridge_read.c:567)
by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
by 0x49865CE: read_dir (fs_image.c:647)
by 0x49865CE: ifs_open (fs_image.c:718)
by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
by 0x498DE91: iso_image_import (fs_image.c:5868)
by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
by 0x108BA6: main (xorriso_main.c:265)
Address 0x51117d0 is 4 bytes after a block of size 4 alloc'd
at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x49A9BAA: read_aaip_AL (rockridge_read.c:541)
by 0x4985D85: iso_file_source_new_ifs.constprop.36 (fs_image.c:1774)
by 0x49865CE: read_dir (fs_image.c:647)
by 0x49865CE: ifs_open (fs_image.c:718)
by 0x497CC9F: iso_add_dir_src_rec (tree.c:998)
by 0x498DE91: iso_image_import (fs_image.c:5868)
by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
by 0x108BA6: main (xorriso_main.c:265)
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages libisofs6 depends on:
ii libacl1 2.2.52-3+b1
ii libc6 2.24-14
ii libjte1 1.20-2+b1
ii zlib1g 1:1.2.8.dfsg-5
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: overflow.iso.gz
Type: application/gzip
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libburnia-devel/attachments/20170818/be028157/attachment-0001.bin>
More information about the Pkg-libburnia-devel
mailing list