Tested Version:
v1.4
Details:
In EXTRACTOR_dvi_extract_method function, it read pos from file, so a crafted file can set pos to an invalid value, and it trigger a crash in the code
213 if (data[pos] != 248)
Vulnerability Code:
208 opos = pos;
209 pos = getIntAt (&data[opos + 1]);
210 if (pos + 25 > size)
211 goto CLEANUP;
212 /* assert pos at 'post' command */
213 if (data[pos] != 248)
214 goto CLEANUP;
Crash Information:
gdb and backtrace
(gdb) run -i extract-dvi_extract_method-dvi_extractor-213.crash
Starting program: /opt/asan/bin/extract -i extract-dvi_extract_method-dvi_extractor-213.crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-dvi_extract_method-dvi_extractor-213.crash:
Breakpoint 1, EXTRACTOR_dvi_extract_method (ec=0x7fffffffa050) at dvi_extractor.c:208
208 opos = pos;
(gdb) n
209 pos = getIntAt (&data[opos + 1]);
(gdb) s
getIntAt (data="" at dvi_extractor.c:131
131 {
(gdb) n
134 memcpy (&p, data, 4); /* ensure alignment! */
(gdb) n
135 return ntohl (p);
(gdb) p (int)p
$1 = -1
(gdb) n
131 {
(gdb)
136 }
(gdb)
EXTRACTOR_dvi_extract_method (ec=0x7fffffffa050) at dvi_extractor.c:210
210 if (pos + 25 > size)
(gdb)
213 if (data[pos] != 248)
(gdb) p pos
$2 = 4294967295
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff243acdf in EXTRACTOR_dvi_extract_method (ec=0x7fffffffa050) at dvi_extractor.c:213
213 if (data[pos] != 248)
(gdb)
CREDIT
Zhao Liang, Huawei Weiran Labs
Attachment is POC file
extract-dvi_extract_method-dvi_extractor-213.crash