Qt gif parsing, Null deref rediscovered
Image parsers
I was originally looking what I can fuzz inside of LINE.exe [1]. We can notice jpeg, ico and gif dll handlers in imageformats directory.
1
2
3
4
5
12/15/2019 17:51 <DIR> .
12/15/2019 17:51 <DIR> ..
10/22/2019 11:06 39,520 qgif.dll
10/22/2019 11:07 40,032 qico.dll
10/22/2019 11:07 259,680 qjpeg.dll
Gif code parser is the part of qtbase and can be found here [2]. Qt library reuses libjpeg-turbo [3] for parsing jpeg files. You can also find some evidences of fuzzing libjpeg-turbo [4] [5]. So, let’s try to fuzz gif parser.
Gif fuzzing
The first thing in fuzzing is creating harness. You can find several examples on the internet how one can leverage Qt to display images [6] [7].
I’ve played with it a bit, and here is how my harness looks like.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#include <QtWidgets/QApplication>
#include <QImageReader>
#include <stdio.h>
extern "C" {
__declspec(dllexport, noinline) int __stdcall main2(char* path) {
QImageReader reader(path);
QSize size = reader.size();
printf("orig size: %x %x, error = %d\n", size.width(), size.height(), reader.error());
if (size.width() > 0x800 || size.height() > 0x800) {
QSize scaledSize = size.scaled(0x800, 0x800, Qt::KeepAspectRatio);
printf("scaled size: %x %x\n", scaledSize.width(), scaledSize.height());
reader.setScaledSize(scaledSize);
}
QImage img = reader.read();
printf("res: %d, err = %d\n", img.isNull(), reader.error());
return img.isNull();
}
}
int main(int argc, char *argv[])
{
QApplication a(argc, argv);
if (argc == 1) return -1;
{
// dummy call is needed to get 100% in WinAFL
QImageReader reader(argv[1]);
QSize size = reader.size();
printf("orig size: %x %x, error = %d\n", size.width(), size.height(), reader.error());
if (size.width() > 0x800 || size.height() > 0x800) {
QSize scaledSize = size.scaled(0x800, 0x800, Qt::KeepAspectRatio);
printf("scaled size: %x %x\n", scaledSize.width(), scaledSize.height());
reader.setScaledSize(scaledSize);
}
QImage img = reader.read();
printf("res: %d, err = %d\n", img.isNull(), reader.error());
}
main2(argv[1]);
return 0;
}
main2 is entry point for fuzzing. This harness tries to scale the image before actually parsing. I needed that part because it seems LINE.exe is implementing the same logic, feel free to remove it.
Also the harness tries to read image first time even before entry point of fuzzer was reached. This is needed because when you call read() first time the Qt engine loads it’s plugins and performs some extra steps which are not the same when you call read() for the second time. WinAFL will measure the coverage, notice this difference and reduce stability in the statistics if you don’t do this dummy call.
I’ve used the exact qgif.dll which was shipped with LINE installer. It’s definitely not the latest one.
So, if you use this harness against Qt 5.6.2 it will reveal the crash almost instantly. It is actually NULL deref.
1
2
3
4
5
6
7
8
9
10
11
eax=15dc0020 ebx=00001b12 ecx=00020000 edx=00020000 esi=15da0020 edi=00000000
eip=7789282e esp=0019fcb0 ebp=15da0020 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010203
VCRUNTIME140!memcpy+0x4e:
7789282e f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
0:000> kb
# ChildEBP RetAddr Args to Child
00 0019fcb4 005f1a3c 00000000 15da0020 00020000 VCRUNTIME140!memcpy+0x4e [d:\agent\_work\2\s\src\vctools\crt\vcruntime\src\string\i386\memcpy.asm @ 194]
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0019fd38 005f285f 004a4b6c 00008000 0000001e qgif+0x1a3c
02 00000000 00000000 00000000 00000000 00000000 qgif+0x285f
You can see here that NULL pointer is passed to memcpy() as a destination pointer. This is actually QGIFFormat::decode function. This is exactly where I was aiming!
The bug exists also in version 5.12.6. But when I tried it against latest Qt 5.14 it was not confirmed. Actually it has been fixed recently with the help of clang-tidy util.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
commit ece0c0a5e7e0b18beb58ccd868bde54c7be64f78
Author: Allan Sandfeld Jensen <[email protected]>
Date: Fri Nov 22 14:46:58 2019 +0100
Tidy nullptr usage
Move away from using 0 as pointer literal.
Done using clang-tidy. This is not complete as
run-clang-tidy can't handle all of qtbase in one go.
Change-Id: I1076a21f32aac0dab078af6f175f7508145eece0
Reviewed-by: Friedemann Kleint <[email protected]>
Reviewed-by: Lars Knoll <[email protected]>
I continued fuzzing but didn’t find anything except this null deref.
So, see you next time 😉
References
- LINE.exe unpacking
- qgifhandler.cpp source code [qtbase/src/plugins/imageformats/gif/qgifhandler.cpp] - Woboq Code Browser
- GitHub - libjpeg-turbo/libjpeg-turbo: Main libjpeg-turbo repository
- Scaling AFL to a 256 thread machine - Gamozo Labs Blog
- lcamtuf’s blog: Pulling JPEGs out of thin air
- Qt jpg image display - Stack Overflow
- Image Viewer Example - Qt Widgets 5.14.0
- QImageReader Class - Qt GUI 5.14.0