[Secure-testing-team] Bug#889224: gocr: heap buffer overflow while running gocr

Joonun Jang joonun.jang at gmail.com
Sat Feb 3 07:21:46 UTC 2018 

Package: gocr
Version: 0.49-2+b1
Severity: important
Tags: security

heap buffer overflow running gocr with "poc" option

Running 'gocr poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

june at june:~/temp/report/gocr/00004223$ ../../binary/gocr-0.49/src/gocr poc
=================================================================
==5380==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffc1 at pc 0x55555562c95f bp 0x7fffffff4da0 sp 0x7fffffff4d98
READ of size 1 at 0x61400000ffc1 thread T0
    #0 0x55555562c95e in thresholding /home/june/temp/report/binary/gocr-0.49/src/otsu.c:255
    #1 0x55555558bf0c in pgm2asc /home/june/temp/report/binary/gocr-0.49/src/pgm2asc.c:2790
    #2 0x55555556a1d8 in main /home/june/temp/report/binary/gocr-0.49/src/gocr.c:368
    #3 0x7ffff65972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #4 0x555555568149 in _start (/home/june/temp/report/binary/gocr-0.49/src/gocr+0x14149)

0x61400000ffc1 is located 0 bytes to the right of 385-byte region [0x61400000fe40,0x61400000ffc1)
allocated by thread T0 here:
    #0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x555555642c50 in readpgm /home/june/temp/report/binary/gocr-0.49/src/pnm.c:225
    #2 0x555555569e93 in read_picture /home/june/temp/report/binary/gocr-0.49/src/gocr.c:310
    #3 0x55555556a1ba in main /home/june/temp/report/binary/gocr-0.49/src/gocr.c:361
    #4 0x7ffff65972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/june/temp/report/binary/gocr-0.49/src/otsu.c:255 in thresholding
Shadow bytes around the buggy address:
  0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9ff0: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5380==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gocr depends on:
ii  libc6  2.24-11+deb9u1

Versions of packages gocr recommends:
ii  bzip2                                1.0.6-8.1
ii  fig2dev [transfig]                   1:3.2.6a-2+deb9u1
ii  libjpeg-turbo-progs [libjpeg-progs]  1:1.5.1-2
ii  netpbm                               2:10.0-15.3+b2
ii  transfig                             1:3.2.6a-2+deb9u1

gocr suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 137 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20180203/8de2bb84/attachment.obj>

More information about the Secure-testing-team mailing list