#778814 dmg2img: invalid read, segmentation fault at dmg2img.c:390

Package:
dmg2img
Source:
dmg2img
Description:
Tool for converting compressed dmg files to hfsplus images
Submitter:
Henri Salo
Date:
2015-02-20 08:54:04 UTC
Severity:
important
#778814#5
Date:
2015-02-20 08:45:50 UTC
From:
To:
Following attached sample file crashes dmg2img. Sample file is fuzzed with
american fuzzy lop <http://lcamtuf.coredump.cx/afl/>. Feel free to contact me in
case you need more information. I was unable to find upstream bug tracker for
this software.

c2ad4e5aa15856d3dfb1527b6a5a3fd07958830c  sample01.dmg

gdb:

"""
dmg2img v1.6.5 (c) vu1tur (to@vu1tur.eu.org)

sample01.dmg --> sample01.img


decompressing:
opening partition 0 ...
Program received signal SIGSEGV, Segmentation fault.
main (argc=<optimized out>, argv=<optimized out>) at dmg2img.c:390
390                             block_type = convert_char4((unsigned char *)parts[i].Data + offset);
(gdb) bt full
#0  main (argc=<optimized out>, argv=<optimized out>) at dmg2img.c:390
        bi = <optimized out>
        i = <optimized out>
        err = <optimized out>
        partnum = 1
        tmp = 0x7ffff7ed8010 ""
        otmp = 0x7ffff7529010 ""
        dtmp = 0x7ffff7428010 ""
        input_file = <optimized out>
        output_file = 0x610010 "sample01.img"
        plist = 0x6104b0 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<dict>\n\t<key>resource-fork</key>\n\t<d"...
        blkx = 0x612300 "<key>blkx</key>\n\t\t<array>\n\t\t\t<dict>\n\t\t\t\t<key>Attributes</key>\n\t\t\t\t<string>0x0050</string>\n\t\t\t\t<key>CFName</key>\n\t\t\t\t<string>Protective Master Boot Record (MBR : 0)</string>\n\t\t\t\t<key>Data</key>\n\t\t\t\t<da"...
        blkx_size = <optimized out>
        parts = 0x613970
        data_begin = <optimized out>
        data_end = <optimized out>
        partname_begin = <optimized out>
        partname_end = <optimized out>
        mish_begin = <optimized out>
        partname = '\000' <repeats 254 times>
        data_size = <optimized out>
        out_offs = <optimized out>
        out_size = <optimized out>
        in_offs = 0
        in_size = <optimized out>
        in_offs_add = 0
        add_offs = 0
        to_read = <optimized out>
        to_write = <optimized out>
        chunk = <optimized out>
        reserved = "    "
        sztype = '\000' <repeats 63 times>
        block_type = <optimized out>
        szSignature = "koly"
        rSignature = <optimized out>
        __PRETTY_FUNCTION__ = "main"
#1  0x00007ffff7648ead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe5a8) at libc-start.c:244
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 5332225185369646181, 4226116, 140737488348592, 0, 0, -5332225186142264219, -5332208876894198683}, mask_was_saved = 0}}, priv = {
            pad = {0x0, 0x0, 0x40e7c0, 0x7fffffffe5b8}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4253632}}}
        not_first_call = <optimized out>
#2  0x0000000000407c6d in _start ()
No symbol table info available.
"""

Valgrind:

"""
==18211== Memcheck, a memory error detector
==18211== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==18211== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==18211== Command: dmg2img sample01.dmg
==18211==

dmg2img v1.6.5 (c) vu1tur (to@vu1tur.eu.org)

sample01.dmg --> sample01.img


decompressing:
opening partition 0 ...                    ==18211== Invalid read of size 1
==18211==    at 0x4046ED: main (dmg2img.h:81)
==18211==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18211==
==18211==
==18211== Process terminating with default action of signal 11 (SIGSEGV)
==18211==  Access not within mapped region at address 0x0
==18211==    at 0x4046ED: main (dmg2img.h:81)
==18211==  If you believe this happened as a result of a stack
==18211==  overflow in your program's main thread (unlikely but
==18211==  possible), you can try to increase the size of the
==18211==  main thread stack using the --main-stacksize= flag.
==18211==  The main thread stack size used in this run was 8388608.
==18211==
==18211== HEAP SUMMARY:
==18211==     in use at exit: 3,160,989 bytes in 10 blocks
==18211==   total heap usage: 10 allocs, 0 frees, 3,160,989 bytes allocated
==18211==
==18211== LEAK SUMMARY:
==18211==    definitely lost: 431 bytes in 1 blocks
==18211==    indirectly lost: 0 bytes in 0 blocks
==18211==      possibly lost: 0 bytes in 0 blocks
==18211==    still reachable: 3,160,558 bytes in 9 blocks
==18211==         suppressed: 0 bytes in 0 blocks
==18211== Rerun with --leak-check=full to see details of leaked memory
==18211==
==18211== For counts of detected and suppressed errors, rerun with: -v
==18211== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
Segmentation fault
"""