View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000610fileGeneralpublic2025-01-08 06:532025-01-08 06:53
ReporterYancyLii Assigned To 
PriorityurgentSeveritycrashReproducibilityalways
Status newResolutionopen 
OSubuntuOS Version24.04 
Product Version5.46 
Summary0000610: Out-of-Memory Crash in uncompressxzlib Function of libmagic
DescriptionAn out-of-memory error occurs in the uncompressxzlib function of the libmagic project when processing certain inputs. This results in a crash due to an excessive memory allocation request (2GB). The issue arises during the decompression process, potentially due to improper handling of malformed or unexpected compressed data inputs.
Steps To Reproduce1. Download the attachment tar.gz file and decompress it, then (sudo) execute shell script
2. ./Test_libmagic_3 oom-4c114b388c07dc45da911b349fd531cc21459ccd
3. Observe the error message
Additional InformationThe issue was identified using a fuzzing tool, which exposed the vulnerability by providing inputs that libmagic failed to handle properly. The crash log is attached for reference.
Crash Log:
#0 0x55d7c0273601 in __sanitizer_print_stack_trace (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x12f601) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000001 0x55d7c01cbfb8 in fuzzer::PrintStackTrace() (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x87fb8) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000002 0x55d7c01b1505 in fuzzer::Fuzzer::HandleMalloc(unsigned long) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x6d505) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000003 0x55d7c01b141b in fuzzer::MallocHook(void const volatile*, unsigned long) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x6d41b) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000004 0x55d7c027ac72 in __sanitizer::RunMallocHooks(void*, unsigned long) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x136c72) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000005 0x55d7c01ce183 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x8a183) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000006 0x55d7c01cdad3 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x89ad3) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000007 0x55d7c0268c5e in malloc (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x124c5e) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000008 0x7f66cbc4e9ef (/lib/x86_64-linux-gnu/liblzma.so.5+0x139ef) (BuildId: b85da6c48eb60a646615392559483b93617ef265)
    #9 0x7f66cbc4104b (/lib/x86_64-linux-gnu/liblzma.so.5+0x604b) (BuildId: b85da6c48eb60a646615392559483b93617ef265)
    0000010 0x7f66cbc4511f (/lib/x86_64-linux-gnu/liblzma.so.5+0xa11f) (BuildId: b85da6c48eb60a646615392559483b93617ef265)
    0000011 0x7f66cbc418e2 in lzma_code (/lib/x86_64-linux-gnu/liblzma.so.5+0x68e2) (BuildId: b85da6c48eb60a646615392559483b93617ef265)
    0000012 0x55d7c02c76a5 in uncompressxzlib .../libmagic/src/libmagic/build/src/../../src/compress.c:705:7
    0000013 0x55d7c02c3cd2 in uncompressbuf .../libmagic/src/libmagic/build/src/../../src/compress.c:1074:10
    0000014 0x55d7c02c334d in file_zmagic .../libmagic/src/libmagic/build/src/../../src/compress.c:311:9
    0000015 0x55d7c02ce256 in file_buffer .../libmagic/src/libmagic/build/src/../../src/funcs.c:369:7
    0000016 0x55d7c02a9ba0 in magic_buffer .../libmagic/src/libmagic/build/src/../../src/magic.c:559:6
    0000017 0x55d7c02a7fd4 in LLVMFuzzerTestOneInput /volume/PromptDriver/results/libmagic/driver/Test_libmagic_Id2817.cc:95:26
    0000018 0x55d7c01b3c10 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x6fc10) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000019 0x55d7c01b3385 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x6f385) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000020 0x55d7c01b4b65 in fuzzer::Fuzzer::MutateAndTestOne() (.../libmagic/fuzzer/Test_libmagic_Id2817+0x70b65) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000021 0x55d7c01b5775 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x71775) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000022 0x55d7c01a38db in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x5f8db) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000023 0x55d7c01cc912 in main (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x88912) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
    0000024 0x7f66cb94ed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    0000025 0x7f66cb94ee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    0000026 0x55d7c0198d44 in _start (/volume/PromptDriver/results/libmagic/fuzzer/Test_libmagic_Id2817+0x54d44) (BuildId: 305308047ad26e990bcb81a58e570e590ef55650)
Tagslibmagic

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-01-08 06:53 YancyLii New Issue
2025-01-08 06:53 YancyLii Tag Attached: libmagic