Following attached sample file crashes dmg2img. Sample file is fuzzed with
american fuzzy lop <http://lcamtuf.coredump.cx/afl/>. Feel free to contact me in
case you need more information. I was unable to find upstream bug tracker for
this software.
c2ad4e5aa15856d3dfb1527b6a5a3fd07958830c sample01.dmg
gdb:
"""
dmg2img v1.6.5 (c) vu1tur (to@vu1tur.eu.org)
sample01.dmg --> sample01.img
decompressing:
opening partition 0 ...
Program received signal SIGSEGV, Segmentation fault.
main (argc=<optimized out>, argv=<optimized out>) at dmg2img.c:390
390 block_type = convert_char4((unsigned char *)parts[i].Data + offset);
(gdb) bt full
#0 main (argc=<optimized out>, argv=<optimized out>) at dmg2img.c:390
bi = <optimized out>
i = <optimized out>
err = <optimized out>
partnum = 1
tmp = 0x7ffff7ed8010 ""
otmp = 0x7ffff7529010 ""
dtmp = 0x7ffff7428010 ""
input_file = <optimized out>
output_file = 0x610010 "sample01.img"
plist = 0x6104b0 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<dict>\n\t<key>resource-fork</key>\n\t<d"...
blkx = 0x612300 "<key>blkx</key>\n\t\t<array>\n\t\t\t<dict>\n\t\t\t\t<key>Attributes</key>\n\t\t\t\t<string>0x0050</string>\n\t\t\t\t<key>CFName</key>\n\t\t\t\t<string>Protective Master Boot Record (MBR : 0)</string>\n\t\t\t\t<key>Data</key>\n\t\t\t\t<da"...
blkx_size = <optimized out>
parts = 0x613970
data_begin = <optimized out>
data_end = <optimized out>
partname_begin = <optimized out>
partname_end = <optimized out>
mish_begin = <optimized out>
partname = '\000' <repeats 254 times>
data_size = <optimized out>
out_offs = <optimized out>
out_size = <optimized out>
in_offs = 0
in_size = <optimized out>
in_offs_add = 0
add_offs = 0
to_read = <optimized out>
to_write = <optimized out>
chunk = <optimized out>
reserved = " "
sztype = '\000' <repeats 63 times>
block_type = <optimized out>
szSignature = "koly"
rSignature = <optimized out>
__PRETTY_FUNCTION__ = "main"
#1 0x00007ffff7648ead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe5a8) at libc-start.c:244
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 5332225185369646181, 4226116, 140737488348592, 0, 0, -5332225186142264219, -5332208876894198683}, mask_was_saved = 0}}, priv = {
pad = {0x0, 0x0, 0x40e7c0, 0x7fffffffe5b8}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4253632}}}
not_first_call = <optimized out>
#2 0x0000000000407c6d in _start ()
No symbol table info available.
"""
Valgrind:
"""
==18211== Memcheck, a memory error detector
==18211== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==18211== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==18211== Command: dmg2img sample01.dmg
==18211==
dmg2img v1.6.5 (c) vu1tur (to@vu1tur.eu.org)
sample01.dmg --> sample01.img
decompressing:
opening partition 0 ... ==18211== Invalid read of size 1
==18211== at 0x4046ED: main (dmg2img.h:81)
==18211== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18211==
==18211==
==18211== Process terminating with default action of signal 11 (SIGSEGV)
==18211== Access not within mapped region at address 0x0
==18211== at 0x4046ED: main (dmg2img.h:81)
==18211== If you believe this happened as a result of a stack
==18211== overflow in your program's main thread (unlikely but
==18211== possible), you can try to increase the size of the
==18211== main thread stack using the --main-stacksize= flag.
==18211== The main thread stack size used in this run was 8388608.
==18211==
==18211== HEAP SUMMARY:
==18211== in use at exit: 3,160,989 bytes in 10 blocks
==18211== total heap usage: 10 allocs, 0 frees, 3,160,989 bytes allocated
==18211==
==18211== LEAK SUMMARY:
==18211== definitely lost: 431 bytes in 1 blocks
==18211== indirectly lost: 0 bytes in 0 blocks
==18211== possibly lost: 0 bytes in 0 blocks
==18211== still reachable: 3,160,558 bytes in 9 blocks
==18211== suppressed: 0 bytes in 0 blocks
==18211== Rerun with --leak-check=full to see details of leaked memory
==18211==
==18211== For counts of detected and suppressed errors, rerun with: -v
==18211== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
Segmentation fault
"""