lekensteyn / dmg2img Goto Github PK

DMG2IMG allows you to convert a (compressed) Apple Disk Images (imported from http://vu1tur.eu.org/dmg2img). Note: the master branch contains imported code, but lacks bugfixes/features from the develop branch. "develop" branch is recommended!

License: GNU General Public License v2.0

Makefile 1.29% C 97.29% Roff 1.42%

dmg2img's Introduction

DMG2IMG

DMG2IMG is a tool which allows converting Apple compressed dmg archives to standard (hfsplus) image disk files.

This tool handles zlib, bzip2, and LZFSE compressed dmg images.

Usage:

dmg2img [-l] [-p N] [-s] [-v] [-V] [-d] <input.dmg> [<output.img> | -]

dmg2img [-l] [-p N] [-s] [-v] [-V] [-d] -i <input.dmg> -o <output.img | ->

Options: -s (silent) -v (verbose) -V (extremely verbose) -d (debug)
         -l (list partitions) -p N (extract only partition N)

See the original README file for platform-specific instructions to open or mount the resulting output file.

The original author is vu1tur, http://vu1tur.eu.org/dmg2img. This Git repository is maintained by Peter Wu at https://github.com/Lekensteyn/dmg2img based on imported tarballs. It includes bug and security fixes and further enhancements.

Building

Required packages:

zlib1g-dev (zlib support)
libbz2-dev (bzip2 support)
libssl-dev (only required for vfdecrypt, not needed for dmg2img)

LZFSE decompression support requires the LZFSE library which can be found at https://github.com/lzfse/lzfse/. As this library is not widely available on Linux distributions, it is not enabled by default.

To build dmg2img:

make dmg2img

To build dmg2img with LZFSE support:

make dmg2img HAVE_LZFSE=1

To build dmg2img with Address Sanitizer for debugging purposes:

make dmg2img CC=clang LDFLAGS=-fsanitize=address

dmg2img's People

Contributors

Stargazers

Watchers

dmg2img's Issues

Doesn't compile against openssl-1.1

cc -g -O2 -Wall -o vfdecrypt vfdecrypt.c -lcrypto
vfdecrypt.c: In function ‘apple_des3_ede_unwrap_key’:
vfdecrypt.c:215:18: error: storage size of ‘ctx’ isn’t known
EVP_CIPHER_CTX ctx;
^~~
vfdecrypt.c:215:18: warning: unused variable ‘ctx’ [-Wunused-variable]
vfdecrypt.c: In function ‘unwrap_v2_header’:
vfdecrypt.c:282:18: error: storage size of ‘ctx’ isn’t known
EVP_CIPHER_CTX ctx;
^~~
vfdecrypt.c:282:18: warning: unused variable ‘ctx’ [-Wunused-variable]
vfdecrypt.c: In function ‘main’:
vfdecrypt.c:449:3: warning: implicit declaration of function ‘HMAC_CTX_init’ [-Wimplicit-function-declaration]
HMAC_CTX_init(&hmacsha1_ctx);
^~~~~~~~~~~~~
vfdecrypt.c:333:18: warning: variable ‘oflag’ set but not used [-Wunused-but-set-variable]
int iflag = 0, oflag = 0, pflag = 0, kflag = 0, verbose = 0;
^~~~~
vfdecrypt.c:333:7: warning: variable ‘iflag’ set but not used [-Wunused-but-set-variable]
int iflag = 0, oflag = 0, pflag = 0, kflag = 0, verbose = 0;
^~~~~
vfdecrypt.c: At top level:
vfdecrypt.c:186:10: error: storage size of ‘hmacsha1_ctx’ isn’t known
HMAC_CTX hmacsha1_ctx;

With openssl you cannot do this anymore

EVP_CIPHER_CTX ctx;

should become probably something like this

EVP_CIPHER_CTX *ctx;
ctx=EVP_CIPHER_CTX_new();
...
EVP_CIPHER_CTX_free(ctx)

But there need to be some more changes.

LZFSE does not work on large dmg files -> consider bringing another working implementation upstream?

First of all, big thanks for maintaining the project!

the example devdiskimage.img as described in commit https://github.com/Lekensteyn/dmg2img/commit/a2d8dfb59dc81ce7c46bb384ff02a8a21ca15d72

➜  test-lzfse ./dmg2img/dmg2img DeveloperDiskImage.dmg devdiskimage.img -d -v   

dmg2img v1.6.5 (c) vu1tur ([email protected])

DeveloperDiskImage.dmg --> devdiskimage.img

Debug info will be written to dmg2img.log

reading property list, 4218 bytes from address 19871934 ...
partition 0: begin=174, size=1912, decoded=1284

decompressing:
opening partition 0 ...        [27] 100.00%  ok

Archive successfully decompressed as devdiskimage.img

works fine. It is ~20MB in size.

However with a much bigger file like IntelliJ 2020.2.4 (~670MB), there is an error:

~ wget https://download.jetbrains.com/idea/ideaIC-2020.2.4.dmg 
~ ./dmg2img/dmg2img ./ideaIC-2020.2.4.dmg ideaIC-2020.2.4.iso -d 

dmg2img v1.6.5 (c) vu1tur ([email protected])

./ideaIC-2020.2.4.dmg --> ideaIC-2020.2.4.iso

Debug info will be written to dmg2img.log
decompressing:
opening partition 0 ...             100.00%  ok
opening partition 1 ...             100.00%  ok
opening partition 2 ...             100.00%  ok
opening partition 3 ...             100.00%  ok
opening partition 4 ...               4.77%Truncated 1054586 to 1048576, data might be lost
decompression failed

and the extraction fails.

There is a fork out there by citruz where the extraction works for me (checked md5 against hdiutil). It only contains a single commit so should be easy to bring upstream.

In their implementation, they mention that "lzfse does not support chunked decompression". Hence, they decompress the whole block at once. This is different from the implementation here.

Would you perhaps consider integrating the solution by citruz? If you need any help, do not hesitate to ask 👍 .

The code I used to test:

wget https://download.jetbrains.com/idea/ideaIC-2020.2.4.dmg
# other repo https://github.com/citruz/dmg2img/
git clone https://github.com/Lekensteyn/dmg2img/
git clone https://github.com/lzfse/lzfse/

# compile and install lzfse
cd lzfse
make && sudo make install
cd ..

# compile and install dmg2img
cd dmg2img
make dmg2img HAVE_LZFSE=1 || true
cd ..

./dmg2img/dmg2img ./ideaIC-2020.2.4.dmg ideaIC-2020.2.4.iso -V -d
7z x ideaIC-2020.2.4.iso -oidea-extract

#### On Linux ####
# for file comparing, to also copy hidden files
shopt -s dotglob nullglob
mv idea-extract/IntelliJ\ IDEA\ CE/* idea-extract/
rmdir idea-extract/IntelliJ\ IDEA\ CE

find idea-extract -type f -exec md5sum {} + | sort -k 2 > linux.txt

#### on OSX only ####

wget https://download.jetbrains.com/idea/ideaIC-2020.2.4.dmg

hdiutil makehybrid -iso -joliet -o ideaIC-2020.2.4.iso ideaIC-2020.2.4.dmg
7z x ideaIC-2020.2.4.iso -oidea-extract
brew install md5sha1sum
find idea-extract -type f -exec md5sum {} + | sort -k 2 > osx.txt

#### Finally ####
diff linux.txt osx.txt

A heap overflow in dmg2img.h:84

There is a 1-byte read overflow in convert_char4 in dmg2img.h:

=================================================================
==1504730==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf49007c8 at pc 0x08112bf5 bp 0xffced768 sp 0xffced760
READ of size 1 at 0xf49007c8 thread T0
    #0 0x8112bf4 in convert_char4 /home/vivin/Projects/phd/subjects/dmg2img/dmg2img-develop/./dmg2img.h:84:22
    #1 0x8112d29 in convert_char8 /home/vivin/Projects/phd/subjects/dmg2img/dmg2img-develop/./dmg2img.h:90:21
    #2 0x8120ae5 in main /home/vivin/Projects/phd/subjects/dmg2img/dmg2img-develop/dmg2img.c:692:10
    #3 0xf7c2bee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)
    #4 0x80644b5 in _start (/home/vivin/Projects/phd/workspace/smartdsf/dmg2img/binaries/sandpuppy-main-asan/dmg2img+0x80644b5)

0xf49007c8 is located 23 bytes to the right of 1-byte region [0xf49007b0,0xf49007b1)
allocated by thread T0 here:
    #0 0x80dee45 in malloc (/home/vivin/Projects/phd/workspace/smartdsf/dmg2img/binaries/sandpuppy-main-asan/dmg2img+0x80dee45)
    #1 0x811a60a in main /home/vivin/Projects/phd/subjects/dmg2img/dmg2img-develop/dmg2img.c:290:28
    #2 0xf7c2bee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vivin/Projects/phd/subjects/dmg2img/dmg2img-develop/./dmg2img.h:84:22 in convert_char4
Shadow bytes around the buggy address:
  0x3e9200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9200e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e9200f0: fa fa fa fa fa fa 01 fa fa[fa]fa fa fa fa fa fa
  0x3e920100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e920110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e920120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e920130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e920140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1504730==ABORTING

Appears to be due to a malformed BT_TERM block. Input file triggering this bug has been attached (unzip to use).

id:000008,sig:06,src:000057+000058,op:splice,rep:8.zip

Does not work on x64 systems

Can you create a release that will work on x64 OS?

How do you convert a dmg file that is split?

Like disk.001.dmg and disk.002.dmg

A Segmentation fault in adc.c:41

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dmg2img (latest master f16f24)

Command line

./dmg2img -i @@ -o /dev/null

Output

Segmentation fault

AddressSanitizer output

==66194==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd23fcfd7ff at pc 0x00000040fa3e bp 0x7fff01a7acb0 sp 0x7fff01a7aca0
READ of size 1 at 0x7fd23fcfd7ff thread T0
    #0 0x40fa3d in adc_decompress /home/seviezhou/dmg2img/adc.c:41
    #1 0x405cad in main /home/seviezhou/dmg2img/dmg2img.c:571
    #2 0x7fd242ef383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #3 0x408108 in _start (/home/seviezhou/dmg2img/dmg2img+0x408108)

0x7fd23fcfd7ff is located 1 bytes to the left of 1048576-byte region [0x7fd23fcfd800,0x7fd23fdfd800)
allocated by thread T0 here:
    #0 0x7fd24375f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x403f95 in main /home/seviezhou/dmg2img/dmg2img.c:371

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/dmg2img/adc.c:41 adc_decompress
Shadow bytes around the buggy address:
  0x0ffac7f97aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffac7f97ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffac7f97ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffac7f97ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffac7f97ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ffac7f97af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0ffac7f97b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffac7f97b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffac7f97b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffac7f97b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffac7f97b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==66194==ABORTING

POC

heap-overflow-adc-41.zip

A Segmentation fault in dmg2img.c:284

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dmg2img (latest master f16f24)

Command line

./dmg2img -i ./heap-overflow-dmg2img-284 -o /dev/null

Output

Segmentation fault

AddressSanitizer output

=================================================================
==45846==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffef at pc 0x7f6e5ebdc935 bp 0x7fff9c6bbd10 sp 0x7fff9c6bb4b8
READ of size 268435536 at 0x61400000ffef thread T0
    #0 0x7f6e5ebdc934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x40343a in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x40343a in main /home/seviezhou/dmg2img/dmg2img.c:284
    #3 0x7f6e5e37c83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #4 0x407fe8 in _start (/home/seviezhou/dmg2img/dmg2img+0x407fe8)

0x61400000ffef is located 0 bytes to the right of 431-byte region [0x61400000fe40,0x61400000ffef)
allocated by thread T0 here:
    #0 0x7f6e5ebe8602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x403119 in main /home/seviezhou/dmg2img/dmg2img.c:265

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa fa
  0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==45846==ABORTING

POC

heap-overflow-dmg2img-284.zip

fatal: can't handle xcode314_2809_developerdvd.dmg

[937606a]
[gcc 4.8.5, x86_64 openSuSE Leap 42.1]

I tried to unpack the xcode 3.1.4 dmg file as can be downloaded from

https://developer.apple.com/downloads/?name=Xcode%203.1.4

Doing

dmg2img -p 5 -i xcode314_2809_developerdvd.dmg -o xcode.img &>dmg2img.log

I get

Warning: wrote 1054597120 bytes, expected 1054640128
Wrote 43008 padding bytes

in the log file, and I can't mount it afterwards since

mount -t hfsplus -o loop xcode.img /mnt

fails with

mount: wrong fs type, bad option, bad superblock on /dev/loop0,
       missing codepage or helper program, or other error

Looking into the dmesg output, I see

hfsplus: invalid secondary volume header
hfsplus: unable to find HFS+ superblock

Version 1.6.3 (also self-compiled) handles the file just fine.

A Segmentation fault in dmg2img.h:188

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dmg2img (latest master f16f24)

Command line

./dmg2img -i @@ -o /dev/null

Output

Segmentation fault

AddressSanitizer output

=================================================================
==39429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000007ff9 at pc 0x7f58afaed935 bp 0x7ffcfd253e50 sp 0x7ffcfd2535f8
READ of size 204 at 0x610000007ff9 thread T0
    #0 0x7f58afaed934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x40b47e in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x40b47e in fill_mishblk /home/seviezhou/dmg2img/dmg2img.h:188
    #3 0x403332 in main /home/seviezhou/dmg2img/dmg2img.c:274
    #4 0x7f58af28d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x408108 in _start (/home/seviezhou/dmg2img/dmg2img+0x408108)

0x610000007ff9 is located 0 bytes to the right of 185-byte region [0x610000007f40,0x610000007ff9)
allocated by thread T0 here:
    #0 0x7f58afaf9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40322d in main /home/seviezhou/dmg2img/dmg2img.c:265

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c207fff8fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c207fff8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]
  0x0c207fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==39429==ABORTING

POC

heap-overflow-dmg2img-188.zip

zlib compressed images not handled correctly

I think zlib compressed images are not handled correctly, but I can't reproduce the production of an image. The image I wanted to mount is the one from the libSDL website:

https://www.libsdl.org/release/SDL2-2.0.4.dmg

If you convert it, the final img file will be identified as:

SDL2.img: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 10352 sectors, extended partition table (last)

This img file is not mountable anyhow. Always has a bad superblock, no matter what type of FS you try to use.

Any hints on how to get this working?

A Segmentation fault in dmg2img.c:237

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dmg2img (latest master f16f24)

Command line

./dmg2img -i ./SEGV-dmg2img-237 -o /dev/null

Output

Segmentation fault

AddressSanitizer output

ASAN:SIGSEGV
=================================================================
==10882==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7efc257f513d bp 0x000000000000 sp 0x7ffc51c0a3c8 T0)
    #0 0x7efc257f513c  (/lib/x86_64-linux-gnu/libc.so.6+0xaa13c)
    #1 0x402f31 in main /home/seviezhou/dmg2img/dmg2img.c:237
    #2 0x7efc2576b83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #3 0x407fe8 in _start (/home/seviezhou/dmg2img/dmg2img+0x407fe8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==10882==ABORTING

POC

SEGV-dmg2img-237.zip

A heap overflow in base64.c:86

System info

Ubuntu x86_64, gcc (Ubuntu 5.5.0-12ubuntu1), dmg2img (latest master f16f24)

Command line

./dmg2img -i @@ -o /dev/null

Output

Segmentation fault

AddressSanitizer output

=================================================================
==35628==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efef at pc 0x00000040e763 bp 0x7fff07749610 sp 0x7fff07749600
READ of size 1 at 0x60200000efef thread T0
    #0 0x40e762 in decode_base64 /home/seviezhou/dmg2img/base64.c:86
    #1 0x403327 in main /home/seviezhou/dmg2img/dmg2img.c:273
    #2 0x7fcf3a12383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #3 0x408108 in _start (/home/seviezhou/dmg2img/dmg2img+0x408108)

0x60200000efef is located 1 bytes to the left of 5-byte region [0x60200000eff0,0x60200000eff5)
allocated by thread T0 here:
    #0 0x7fcf3a98f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x40322d in main /home/seviezhou/dmg2img/dmg2img.c:265

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/dmg2img/base64.c:86 decode_base64
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]05 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==35628==ABORTING

POC

heap-overflow-decode_base64-base64-86.zip

A Segmentation fault in adc.c:46

System info

Ubuntu x86_64, gcc (Ubuntu 5.5.0-12ubuntu1), dmg2img (latest master f16f24)

Command line

./dmg2img -i @@ -o /dev/null

Output

Segmentation fault

AddressSanitizer output

==31593==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f61a58fd7fe at pc 0x00000040fb18 bp 0x7ffed99b85d0 sp 0x7ffed99b85c0
READ of size 1 at 0x7f61a58fd7fe thread T0
    #0 0x40fb17 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #1 0x40fb17 in adc_decompress /home/seviezhou/dmg2img/adc.c:46
    #2 0x405cad in main /home/seviezhou/dmg2img/dmg2img.c:571
    #3 0x7f61a8af583f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #4 0x408108 in _start (/home/seviezhou/dmg2img/dmg2img+0x408108)

0x7f61a58fd7fe is located 2 bytes to the left of 1048576-byte region [0x7f61a58fd800,0x7f61a59fd800)
allocated by thread T0 here:
    #0 0x7f61a9361602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x403f95 in main /home/seviezhou/dmg2img/dmg2img.c:371

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/x86_64-linux-gnu/bits/string3.h:53 memcpy
Shadow bytes around the buggy address:
  0x0fecb4b17aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecb4b17ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecb4b17ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecb4b17ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fecb4b17ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fecb4b17af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0fecb4b17b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecb4b17b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecb4b17b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecb4b17b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fecb4b17b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==31593==ABORTING

POC

heap-overflow-adc_decompress-adc-46.zip

A Segmentation fault in adc.c:66

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), dmg2img (latest master f16f24)

Command line

./dmg2img -i ./heap-overflow-adc-66 -o /dev/null

Output

decompressing:
opening partition 0 ...                    
Segmentation fault

AddressSanitizer output

decompressing:
opening partition 0 ...                    =================================================================
==29718==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f66bedfd68c at pc 0x00000040f2dd bp 0x7ffc24807200 sp 0x7ffc248071f0
READ of size 1 at 0x7f66bedfd68c thread T0
    #0 0x40f2dc in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #1 0x40f2dc in adc_decompress /home/seviezhou/dmg2img/adc.c:66
    #2 0x405c3e in main /home/seviezhou/dmg2img/dmg2img.c:571
    #3 0x7f66c1fbe83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #4 0x407fe8 in _start (/home/seviezhou/dmg2img/dmg2img+0x407fe8)

0x7f66bedfd68c is located 372 bytes to the left of 1048576-byte region [0x7f66bedfd800,0x7f66beefd800)
allocated by thread T0 here:
    #0 0x7f66c282a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x403ef0 in main /home/seviezhou/dmg2img/dmg2img.c:371

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/x86_64-linux-gnu/bits/string3.h:53 memcpy
Shadow bytes around the buggy address:
  0x0fed57db7a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed57db7a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed57db7aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed57db7ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed57db7ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fed57db7ad0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed57db7ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed57db7af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed57db7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed57db7b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed57db7b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29718==ABORTING

POC

heap-overflow-adc-66.zip

interest for a cross-platform cmake build (including lzfse, asan etc.)

Hi @Lekensteyn ,

I'm working on a fork of your repo, where I've made a number of changes for personal use: made the code cross-platform, added cmake, added vcpkg (optional on linux), added windows support for clang+asan etc. The code is here.

There are no changes in functionality.

I'm opening this ticket in case you're interested in a PR, if you're not, feel free to close it 👍

Is it possible to provide releases of the source code as tar.gz dumps like in original http://vu1tur.eu.org/dmg2img ?

Subj.

In fact this repo can be considered as a new mainline - would be nice to promote it to maintainers of the various Linux distributions.

tar.gz on Release page is preferred, however if it is not possible - would be nice to have at least Git tags. like "v1.6.8" etc.

For example, this would allow to add dmg2img back into Gentoo ebuild tree, and probably provide updated dmg2img version in other distributions.

lekensteyn / dmg2img Goto Github PK

dmg2img's Introduction

DMG2IMG

Building

dmg2img's People

Contributors

Stargazers

Watchers

Forkers

dmg2img's Issues

System info

Command line

Output

AddressSanitizer output

POC

System info

Command line

Output

AddressSanitizer output

POC

System info

Command line

Output

AddressSanitizer output

POC

System info

Command line

Output

AddressSanitizer output

POC

System info

Command line

Output

AddressSanitizer output

POC

System info

Command line

Output

AddressSanitizer output

POC

System info

Command line

Output

AddressSanitizer output

POC

Recommend Projects

Recommend Topics

Recommend Org

Jobs