Yuanhaur Chang (Oliver)

Yuanhaur Chang (Oliver)

Ph.D Candidate in Computer Science & Engineering at Washington Univeristy in St. Louis

CVE-2023-40890: ZBar Stack-based Buffer Overflow Vulnerability

1 minute read

Published:

ZBar Stack-based Buffer Overflow Vulnerability

CVE Number

CVE-2023-40890

Summary

A stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

Tested Versions

ZBar 0.23.90

Product URLs

https://github.com/mchehab/zbar/releases/tag/0.23.90

Crash Information

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe8c2052b8 at pc 0x7fd25c0d6ba3 bp 0x7ffe8c205130 sp 0x7ffe8c205128
WRITE of size 4 at 0x7ffe8c2052b8 thread T0
    #0 0x7fd25c0d6ba2 in lookup_sequence /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/decoder/databar.c:703:12
    #1 0x7fd25c0d6ba2 in match_segment_exp /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/decoder/databar.c:763
    #2 0x7fd25c0d6ba2 in decode_char /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/decoder/databar.c:1086
    #3 0x7fd25c0cda9b in decode_finder /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/decoder/databar.c:1222:14
    #4 0x7fd25c0cda9b in _zbar_decode_databar /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/decoder/databar.c:1242
    #5 0x7fd25c0c5c52 in zbar_decode_width /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/decoder.c:270:15
    #6 0x7fd25c0c378a in process_edge /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/scanner.c:173:16
    #7 0x7fd25c0c378a in zbar_scan_y /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/scanner.c:261
    #8 0x7fd25c0c0a6f in zbar_scan_image /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/img_scanner.c:773:17
    #9 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16
    #10 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk_fuzz/libfuzz/src/fuzz.cpp:98
    #11 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42fb77)
    #12 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43a3e4)
    #13 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43ba4f)
    #14 0x42ae0c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42ae0c)
    #15 0x41dc82 in main (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dc82)
    #16 0x7fd257e53bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41dd49 in _start (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dd49)

Address 0x7ffe8c2052b8 is located in stack of thread T0 at offset 376 in frame
    #0 0x7fd25c0ce46f in decode_char /home/fuzzer/ramdisk_fuzz/ZBar_backup/zbar/decoder/databar.c:955
    
  This frame has 6 object(s):
    [32, 120) 'bestsegs.i' (line 716)
    [160, 248) 'segs.i333' (line 716)
    [288, 376) 'seq.i' (line 716) <== Memory access at offset 376 overflows this variable
    [416, 544) 'iseg.i' (line 718)
    [576, 592) 'd.i' (line 645)
    [608, 616) 'emin' (line 958)

Timeline

2023-08-22 - Public Release

Credit

Discovered by Yuanhaur Chang, Yujie Wang, and Ning Zhang

You May Also Enjoy