Program received signal SIGILL, Illegal instruction. in readChunk at /LuPng/lupng.c:745

## Desctiption
When using the luPngReadFile function to handle a specific input. Program received signal SIGILL, Illegal instruction. in readChunk at /LuPng/lupng.c:745

https://github.com/jansol/LuPng/blob/5ec546e0d16d0fb9316967949b2676227eb93736/lupng.c#L831-L841
https://github.com/jansol/LuPng/blob/5ec546e0d16d0fb9316967949b2676227eb93736/lupng.c#L780-L799
https://github.com/jansol/LuPng/blob/5ec546e0d16d0fb9316967949b2676227eb93736/lupng.c#L700-L745

https://github.com/jansol/LuPng/blob/5ec546e0d16d0fb9316967949b2676227eb93736/lupng.c#L150-L155

## Test Environment
Ubuntu 22.04.1, 64bit
LuPng(commits on Aug 28, 2021 master https://github.com/jansol/LuPng/commit/5ec546e0d16d0fb9316967949b2676227eb93736)
[program source file](https://github.com/ambrosecm/pocs/blob/main/LuPng/readChunk/luPngReadFile.c)

## How to trigger
Download the [poc file](https://github.com/ambrosecm/pocs/blob/main/LuPng/readChunk/poc) , [program](https://github.com/ambrosecm/pocs/blob/main/LuPng/readChunk/luPngReadFile) and run the following cmd:
```
 $ ./luPngReadFile ./poc
```

## Detail
### GDB report
```
(gdb) r
Starting program: /home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/crashes/lupng.c/generate/luPngReadFile/luPngReadFile output/default/crashes/id:000000,sig:04,src:000002,time:34407,execs:14609,op:havoc,rep:10
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
0x0000555555786b02 in readChunk (info=0x7bfff5d09040, chunk=0x7bfff5d09180) at /home/ambrose/vsproject/TestLib/LuPng/lupng.c:745
745         chunk->crc = swap32(*((uint32_t *)(chunk->data + chunk->length)));
(gdb) bt
#0  0x0000555555786b02 in readChunk (info=0x7bfff5d09040, chunk=0x7bfff5d09180)
    at /home/ambrose/vsproject/TestLib/LuPng/lupng.c:745
#1  0x0000555555780ec6 in luPngReadUC (userCtx=0x7bfff5c09020)
    at /home/ambrose/vsproject/TestLib/LuPng/lupng.c:799
#2  0x000055555578a699 in luPngReadFile (
    filename=0x7fffffffde7f "output/default/crashes/id:000000,sig:04,src:000002,time:34407,execs:14609,op:havoc,rep:10") at /home/ambrose/vsproject/TestLib/LuPng/lupng.c:841
#3  0x00005555557999fb in main (argc=2, argv=0x7fffffffdab8)
    at output/LuPng_deepseek24/harness/code/lupng.c/generate/luPngReadFile.c:16
(gdb) p chunk
$1 = (PngChunk *) 0x7bfff5d09180
(gdb) p chunk->data
$2 = (uint8_t *) 0x7c2ff6e20044 ""
(gdb) p chunk->length
$3 = 13
(gdb) p *((uint32_t *)(chunk->data + chunk->length))
$4 = 2018915346
(gdb) p chunk->crc
$5 = 0
(gdb) p swap32(*((uint32_t *)(chunk->data + chunk->length)))
$6 = 305419896
(gdb) p *chunk
$7 = {length = 13, type = 0x7c2ff6e20040 "IMDR", data = 0x7c2ff6e20044 "", crc = 0}
```

	LuImage luPngReadFile(const char filename)
	{
	LuUserContext userCtx;
	LuImage *img;
	FILE *f = fopen(filename, "rb");

	luUserContextInitDefault(&userCtx);
	if (f) {
	userCtx.readProc = internalFread;
	userCtx.readProcUserPtr = f;
	img = luPngReadUC(&userCtx);

	LuImage luPngReadUC(const LuUserContext userCtx)
	{
	uint8_t signature[PNG_SIG_SIZE];
	int status = PNG_ERROR;

	PngInfoStruct info;
	memset(&info, 0, sizeof(PngInfoStruct));
	info.userCtx = userCtx;

	if (!userCtx->skipSig) {
	if (!userCtx->readProc((void *)signature, PNG_SIG_SIZE, 1,
	userCtx->readProcUserPtr) \|\|
	!bytesEqual(signature, PNG_SIG, PNG_SIG_SIZE)) {
	LUPNG_WARN(&info, "PNG: invalid header");
	return NULL;
	}
	}

	PngChunk chunk;
	while (readChunk(&info, &chunk) == PNG_OK) {

	static LU_INLINE int readChunk(PngInfoStruct info, PngChunk chunk)
	{
	struct {
	uint32_t length;
	uint8_t type[4];
	} ch;

	if (!info->userCtx->readProc((void *)&ch, sizeof(ch), 1,
	info->userCtx->readProcUserPtr)) {
	LUPNG_WARN(info, "PNG: read error");
	return PNG_ERROR;
	}

	chunk->length = swap32(ch.length);
	if (chunk->length >= INT32_MAX) {
	LUPNG_WARN(info, "PNG: chunk claims to be absurdly large");
	return PNG_ERROR;
	}

	for (int i = 0; i < 4; ++i) {
	if ((ch.type[i] < 'a' \|\| ch.type[i] > 'z') &&
	(ch.type[i] < 'A' \|\| ch.type[i] > 'Z')) {
	LUPNG_WARN(info, "PNG: invalid chunk name, possibly unprintable");
	return PNG_ERROR;
	}
	}

	// Store chunk type and contents and crc in the same buffer for convenience
	chunk->type = (uint8_t *)info->userCtx->allocProc(
	chunk->length + 8, info->userCtx->allocProcUserPtr);
	if (!chunk->type) {
	LUPNG_WARN(info, "PNG: memory allocation failed!");
	return PNG_ERROR;
	}

	memcpy(chunk->type, &ch.type, 4);
	chunk->data = chunk->type + 4;

	if (!info->userCtx->readProc(chunk->data, chunk->length + 4, 1,
	info->userCtx->readProcUserPtr)) {
	LUPNG_WARN(info, "PNG: read error");
	info->userCtx->freeProc(chunk->type, info->userCtx->freeProcUserPtr);
	return PNG_ERROR;
	}

	chunk->crc = swap32(((uint32_t )(chunk->data + chunk->length)));

	typedef struct {
	uint32_t length;
	uint8_t *type;
	uint8_t *data;
	uint32_t crc;
	} PngChunk;

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Program received signal SIGILL, Illegal instruction. in readChunk at /LuPng/lupng.c:745 #13

Desctiption

Test Environment

How to trigger

Detail

GDB report

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Program received signal SIGILL, Illegal instruction. in readChunk at /LuPng/lupng.c:745 #13

Description

Desctiption

Test Environment

How to trigger

Detail

GDB report

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions