Comments (5)
JayXon
commented on May 28, 2024
1
looks like that's the same issue as #80 which has already been fixed
from leanify.
JamieSlome
commented on May 28, 2024
Thanks, @JayXon! You should receive an e-mail shortly.
Otherwise, you can view the report directly here:
https://huntr.dev/bounties/bdad4af3-4f03-47de-a157-179608b12349/
It is private and only accessible to maintainers with repository write permissions! ❤️
from leanify.
Asteriska001
commented on May 28, 2024
looks like that's the same issue as #80 which has already been fixed
Sorry,the issue seems hasn't been fixed..
I has re-tested the POC with the lastest Ver..
The heap-overflow issue occurred again.
I'd appreciate it if you could check this issue again,
from leanify.
Asteriska001
commented on May 28, 2024
POC
Reports:
=================================================================
==1191==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001021 at pc 0x5555555c125d bp 0x7ffff39fc380 sp 0x7ffff39fc370
READ of size 2 at 0x602000001021 thread T1
#0 0x5555555c125c in Swf::Leanify(unsigned long) formats/swf.cpp:124
#1 0x555555734982 in LeanifyFile(void*, unsigned long, unsigned long, std::__cxx11::basic_string, std::allocator > const&) /AFLplusplus/my_test/projects/Leanify/asan_bin/Leanify/leanify.cpp:140
#2 0x555555734982 in ProcessFile(std::__cxx11::basic_string, std::allocator > const&) [clone .isra.0] /AFLplusplus/my_test/projects/Leanify/asan_bin/Leanify/main.cpp:65
#3 0x5555555a72e8 in operator() /AFLplusplus/my_test/projects/Leanify/asan_bin/Leanify/main.cpp:139
#4 0x5555555a72e8 in __invoke_impl&> /usr/include/c++/10/bits/invoke.h:60
#5 0x5555555a72e8 in __invoke_r&> /usr/include/c++/10/bits/invoke.h:110
#6 0x5555555a72e8 in _M_invoke /usr/include/c++/10/bits/std_function.h:291
#7 0x55555559fa54 in std::function::operator()() const /usr/include/c++/10/bits/std_function.h:622
#8 0x55555559fa54 in tf::Executor::_invoke_static_task(tf::Worker&, tf::Node*) lib/taskflow/core/executor.hpp:823
#9 0x55555559fa54 in tf::Executor::_invoke(tf::Worker&, tf::Node*) lib/taskflow/core/executor.hpp:671
#10 0x5555555af3d5 in tf::Executor::_exploit_task(tf::Worker&, tf::Node*&) lib/taskflow/core/executor.hpp:467
#11 0x5555555af3d5 in tf::Executor::_exploit_task(tf::Worker&, tf::Node*&) lib/taskflow/core/executor.hpp:458
#12 0x5555555af3d5 in tf::Executor::_spawn(unsigned long)::{lambda(tf::Worker&)#1}::operator()(tf::Worker&) const lib/taskflow/core/executor.hpp:397
#13 0x5555555af3d5 in void std::__invoke_impl >(std::__invoke_other, tf::Executor::_spawn(unsigned long)::{lambda(tf::Worker&)#1}&&, std::reference_wrapper&&) /usr/include/c++/10/bits/invoke.h:60
#14 0x5555555af3d5 in std::__invoke_result >::type std::__invoke >(tf::Executor::_spawn(unsigned long)::{lambda(tf::Worker&)#1}&&, std::reference_wrapper&&) /usr/include/c++/10/bits/invoke.h:95
#15 0x5555555af3d5 in void std::thread::_Invoker > >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/include/c++/10/thread:264
#16 0x5555555af3d5 in std::thread::_Invoker > >::operator()() /usr/include/c++/10/thread:271
#17 0x5555555af3d5 in std::thread::_State_impl > > >::_M_run() /usr/include/c++/10/thread:215
#18 0x7ffff74846b3 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xda6b3)
#19 0x7ffff75cd608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
#20 0x7ffff7170292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
0x602000001021 is located 16 bytes to the right of 1-byte region [0x602000001010,0x602000001011)
allocated by thread T1 here:
#0 0x7ffff769d717 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
#1 0x5555555bc2b3 in Swf::Leanify(unsigned long) formats/swf.cpp:106
Thread T1 created by T0 here:
#0 0x7ffff763f6d5 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff7484989 in std::thread::_M_start_thread(std::unique_ptr >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xda989)
SUMMARY: AddressSanitizer: heap-buffer-overflow formats/swf.cpp:124 in Swf::Leanify(unsigned long)
Shadow bytes around the buggy address:
0x0c047fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8200: fa fa 01 fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1191==ABORTING
from leanify.
JayXon
commented on May 28, 2024
@Asteriska8 oh sorry, I think there are multiple issues, I fixed the crash, but looks like that buffer overflow is actually a different issue, not the cause of the crash.
from leanify.
Related Issues (20)
- wasm support
- Recursive compression of images within epub files HOT 3
- How can I restrict specific files or file types from being optimized? HOT 2
- Please release a new version. HOT 5
- LossLess JPEG optimization? HOT 2
- fatal error: 'stdio.h' file not found HOT 1
- Building from source fails HOT 5
- `Map file error: No such device` using mergerFS HOT 2
- [Bug Report]heap-buffer-overflow in function LeanifyFile():leanify.cpp:140 HOT 3
- [Bug]out-of-memory in function get_mutable_buffer():/pugixml.cpp:2051
- pixel per inch HOT 2
- make error: lib/LZMA/LzmaEnc.c:2996:19: error: storing the address of local variable ‘outStream’ in ‘p_16->rc.outStream’ [-Werror=dangling-pointer=] HOT 1
- Cflags issue on Apple M1 (ARM) HOT 3
- Out of memory error when compiling HOT 10
- [NOISSUE] Was there previously a GUI version called Leanify++? HOT 1
- Is arm64 / aarch64 architecture supported? HOT 1
- Is there a way that to both keep Photo's EXIF and remove Location? HOT 2
- Need periodic releases so that this excellent tool can be picked up by linux/arch repos. HOT 1
- Bump version
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from leanify.