libpano13-bin: out of bounds read in PTinfo

139 views
Skip to first unread message

pola lemu

unread,
Apr 22, 2021, 5:04:58 PM4/22/21
to hugin and other free panoramic software
In libpano13-2.9.20, there is an out-of-bounds read bug.
The bug in function panoParserFindOLine() in parser.c.

line 2494 called strchr, the return pointer is null and then `ptr++` to 0x1.
```
      2494      ptr = strchr(ptr, '\n');
             // ptr=0x00007fffffffe1f8  →  0x0000000000000000
 → 2495      ptr++;
```


So at line 2467, the *ptr(0x01) cannot access and resulted in an out of bounds read and crash.

```
// ptr=0x00007fffffffe1f8  →  0x0000000000000001
 → 2466      while (ptr != NULL) {
●  2467        if (*ptr == 'o') {
```
the backtrace:

```
──── source:parser.c+2467 ────────────
   2462      int count = 0;
   2463
   2464
   2465      ptr = script;
   2466      while (ptr != NULL) {
                      // ptr=0x00007fffffffe1f8  →  0x0000000000000001
●→ 2467      if (*ptr == 'o') {
   2468          if (count == index) {
   2469          // we have found it
   2470          int length;
   2471          char *temp;
   2472          char *result;
───────── threads ──────────────────
[#0] Id 1, Name: "PTinfo", stopped 0x7ffff7f4effa in panoParserFindOLine (), reason: SIGSEGV
─────── trace ─────────────────
[#0] 0x7ffff7f4effa → panoParserFindOLine(script=0x55555555c030 "\006", index=0x0)
[#1] 0x7ffff7fa4019 → panoTiffDisplayInfo(fileName=0x5555555596b0 "./crashes/id:000000,sig:11,src:000003,time:5466,op:flip1,pos:4679")
[#2] 0x555555555410 → main(argc=0x2, argv=0x7fffffffe388)
───────────────────────────────
```

I am not sure the following patch is or not suitable.

```
--- a/parser.c
+++ b/parser.c
@@ -2492,6 +2492,10 @@
     }
     // find next beginning of line
     ptr = strchr(ptr, '\n');
+    if(!ptr){
+       PrintError("Error parsing next line.");
+       return NULL;;
+    }
     ptr++;

     }

```

poc file:  attached


reporter: chiba in topsec alphalab


libpano13-ptinfo-oobr-01

T. Modes

unread,
Apr 23, 2021, 3:58:47 PM4/23/21
to hugin and other free panoramic software
pola lemu schrieb am Donnerstag, 22. April 2021 um 19:04:58 UTC+2:
I am not sure the following patch is or not suitable.

Thanks for the diagnose and the patch. I committed a slightly modified version.
Reply all
Reply to author
Forward
0 new messages