CVE-2023-40889: ZBar Heap-based Buffer Overflow Vulnerability

1 minute read

Published:

ZBar Heap-based Buffer Overflow Vulnerability

CVE Number

CVE-2023-40889

Summary

A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

Tested Versions

ZBar 0.23.90

Product URLs

https://github.com/mchehab/zbar/releases/tag/0.23.90

Crash Information

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000e1bf6 at pc 0x7f22e913836b bp 0x7fff893b6590 sp 0x7fff893b6588
READ of size 1 at 0x6040000e1bf6 thread T0
    #0 0x7f22e913836a in qr_reader_match_centers /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:3903:18
    #1 0x7f22e913a2ef in _zbar_qr_decode /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9
    #2 0x7f22e910f004 in zbar_scan_image /home/fuzzer/ramdisk_fuzz/ZBar/zbar/img_scanner.c:806:5
    #3 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16
    #4 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk_fuzz/libfuzz/src/fuzz.cpp:97
    #5 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42fb77)
    #6 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43a3e4)
    #7 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43ba4f)
    #8 0x42ae0c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42ae0c)
    #9 0x41dc82 in main (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dc82)
    #10 0x7f22e4ea1bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41dd49 in _start (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dd49)

0x6040000e1bf6 is located 0 bytes to the right of 38-byte region [0x6040000e1bd0,0x6040000e1bf6)
allocated by thread T0 here:
    #0 0x513488 in calloc (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x513488)
    #1 0x7f22e9133b0f in qr_reader_match_centers /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:3895:25
    #2 0x7f22e913a2ef in _zbar_qr_decode /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9
    #3 0x7f22e910f004 in zbar_scan_image /home/fuzzer/ramdisk_fuzz/ZBar/zbar/img_scanner.c:806:5
    #4 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16
    #5 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk_fuzz/libfuzz/src/fuzz.cpp:97
    #6 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42fb77)
    #7 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43a3e4)
    #8 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43ba4f)
    #9 0x42ae0c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42ae0c)
    #10 0x41dc82 in main (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dc82)
    #11 0x7f22e4ea1bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

Timeline

2023-08-22 - Public Release

Credit

Discovered by Yuanhaur Chang, Yujie Wang, and Ning Zhang