Heap buffer overflow on cmft::imageLoadTga

[strongcourage]

Hi,

Our fuzzer found a crash due to a heap buffer overflow on the function cmft::imageLoadTga. I built cmft (the latest commit 06a3516 on master) using the configuration "release64" on Ubuntu 16.04 (64-bit).

PoC_hbo_imageLoadTga: https://github.com/strongcourage/PoCs/blob/master/cmft_06a3516/PoC_hbo_imageLoadTga

cmftRelease --input PoC_hbo_imageLoadTga --output0 /dev/null
CMFT info: Converting octant image to cubemap.
*** Error in `./cmftRelease': free(): invalid next size (normal): 0x0000000002513ea0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fd312c387e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fd312c4137a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fd312c4553c]
./cmftRelease[0x41dbc1]
./cmftRelease[0x41812a]
./cmftRelease[0x43cc05]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fd312be1830]
./cmftRelease[0x402269]
======= Memory map: ========
00400000-0044e000 r-xp 00000000 103:01 3678247                           /home/dungnguyen/PoCs/cmft_06a3516/cmftRelease
0064d000-0064e000 r--p 0004d000 103:01 3678247                           /home/dungnguyen/PoCs/cmft_06a3516/cmftRelease
0064e000-0064f000 rw-p 0004e000 103:01 3678247                           /home/dungnguyen/PoCs/cmft_06a3516/cmftRelease
0064f000-006a2000 rw-p 00000000 00:00 0 
02501000-02533000 rw-p 00000000 00:00 0                                  [heap]
7fd30c000000-7fd30c021000 rw-p 00000000 00:00 0 
7fd30c021000-7fd310000000 ---p 00000000 00:00 0 
7fd312bc1000-7fd312d81000 r-xp 00000000 103:03 4718690                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd312d81000-7fd312f81000 ---p 001c0000 103:03 4718690                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd312f81000-7fd312f85000 r--p 001c0000 103:03 4718690                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd312f85000-7fd312f87000 rw-p 001c4000 103:03 4718690                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd312f87000-7fd312f8b000 rw-p 00000000 00:00 0 
7fd312f8b000-7fd312fa1000 r-xp 00000000 103:03 4723208                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd312fa1000-7fd3131a0000 ---p 00016000 103:03 4723208                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3131a0000-7fd3131a1000 rw-p 00015000 103:03 4723208                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd3131a1000-7fd3132a9000 r-xp 00000000 103:03 4723188                   /lib/x86_64-linux-gnu/libm-2.23.so
7fd3132a9000-7fd3134a8000 ---p 00108000 103:03 4723188                   /lib/x86_64-linux-gnu/libm-2.23.so
7fd3134a8000-7fd3134a9000 r--p 00107000 103:03 4723188                   /lib/x86_64-linux-gnu/libm-2.23.so
7fd3134a9000-7fd3134aa000 rw-p 00108000 103:03 4723188                   /lib/x86_64-linux-gnu/libm-2.23.so
7fd3134aa000-7fd31361c000 r-xp 00000000 103:03 5376129                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd31361c000-7fd31381c000 ---p 00172000 103:03 5376129                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd31381c000-7fd313826000 r--p 00172000 103:03 5376129                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd313826000-7fd313828000 rw-p 0017c000 103:03 5376129                   /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7fd313828000-7fd31382c000 rw-p 00000000 00:00 0 
7fd31382c000-7fd313844000 r-xp 00000000 103:03 4718677                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313844000-7fd313a43000 ---p 00018000 103:03 4718677                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313a43000-7fd313a44000 r--p 00017000 103:03 4718677                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313a44000-7fd313a45000 rw-p 00018000 103:03 4718677                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7fd313a45000-7fd313a49000 rw-p 00000000 00:00 0 
7fd313a49000-7fd313a4c000 r-xp 00000000 103:03 4718675                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313a4c000-7fd313c4b000 ---p 00003000 103:03 4718675                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313c4b000-7fd313c4c000 r--p 00002000 103:03 4718675                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313c4c000-7fd313c4d000 rw-p 00003000 103:03 4718675                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fd313c4d000-7fd313c54000 r-xp 00000000 103:03 4718609                   /lib/x86_64-linux-gnu/librt-2.23.so
7fd313c54000-7fd313e53000 ---p 00007000 103:03 4718609                   /lib/x86_64-linux-gnu/librt-2.23.so
7fd313e53000-7fd313e54000 r--p 00006000 103:03 4718609                   /lib/x86_64-linux-gnu/librt-2.23.so
7fd313e54000-7fd313e55000 rw-p 00007000 103:03 4718609                   /lib/x86_64-linux-gnu/librt-2.23.so
7fd313e55000-7fd313e7b000 r-xp 00000000 103:03 4718676                   /lib/x86_64-linux-gnu/ld-2.23.so
7fd31404a000-7fd314051000 rw-p 00000000 00:00 0 
7fd314079000-7fd31407a000 rw-p 00000000 00:00 0 
7fd31407a000-7fd31407b000 r--p 00025000 103:03 4718676                   /lib/x86_64-linux-gnu/ld-2.23.so
7fd31407b000-7fd31407c000 rw-p 00026000 103:03 4718676                   /lib/x86_64-linux-gnu/ld-2.23.so
7fd31407c000-7fd31407d000 rw-p 00000000 00:00 0 
7ffe419b8000-7ffe419da000 rw-p 00000000 00:00 0                          [stack]
7ffe419dd000-7ffe419e0000 r--p 00000000 00:00 0                          [vvar]
7ffe419e0000-7ffe419e2000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

ASAN says:

cmftRelease-asan --input PoC_hbo_imageLoadTga --output0 /dev/null
=================================================================
==18117==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x7f26c41d7904 bp 0x7fff6b3bb500 sp 0x7fff6b3baca8
WRITE of size 3 at 0x60400000e000 thread T0
    #0 0x7f26c41d7903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x434027 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x434027 in cmft::imageLoadTga(cmft::Image&, cmft::Rw*, cmft::AllocatorI*) ../../src/cmft/image.cpp:4942
    #3 0x4344b3 in cmft::imageLoad(cmft::Image&, cmft::Rw*, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:5039
    #4 0x4348a9 in cmft::imageLoad(cmft::Image&, char const*, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:5062
    #5 0x475600 in cmftMain(int, char const* const*) ../../src/cmft_cli/cmft_cli.h:895
    #6 0x7f26c2ed782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x403608 in _start (/home/dungnguyen/PoCs/cmft_06a3516/cmftRelease-asan+0x403608)

0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x7f26c41e3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x433f18 in cmft::imageLoadTga(cmft::Image&, cmft::Rw*, cmft::AllocatorI*) ../../src/cmft/image.cpp:4899

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==18117==ABORTING

Thanks,
Manh Dung