stack buffer overflow in read_next_pam_token

[bestshow]

on ImageWorsener 1.3.0

#imagew $FILE out.png

stack-buffer-overflow on address 0x7ffd02d980a4 at pc 0x00000046559c bp 0x7ffd02d97f60 sp 0x7ffd02d97f58
READ of size 1 at 0x7ffd02d980a4 thread T0
#0 0x46559b in read_next_pam_token src/imagew-pnm.c:282
#1 0x465a7c in iwpnm_read_pam_header src/imagew-pnm.c:361
#2 0x4660aa in iwpnm_read_header src/imagew-pnm.c:423
#3 0x46621e in iw_read_pnm_file src/imagew-pnm.c:446
#4 0x46639f in iw_read_pam_file src/imagew-pnm.c:464
#5 0x43b2a6 in iw_read_file_by_fmt src/imagew-allfmts.c:79
#6 0x408025 in iwcmd_run src/imagew-cmd.c:1191
#7 0x413bfb in iwcmd_main src/imagew-cmd.c:3018
#8 0x413cde in main src/imagew-cmd.c:3067
#9 0x7fb808f72b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#10 0x403478 (/home/haojun/Downloads/testopensourcecode/imageworsener20170408/imageworsener-master/imagew+0x403478)

Address 0x7ffd02d980a4 is located in stack of thread T0 at offset 196 in frame
#0 0x4658a5 in iwpnm_read_pam_header src/imagew-pnm.c:332

This frame has 4 object(s):
[32, 36) 'curpos'
[96, 196) 'linebuf' <== Memory access at offset 196 overflows this variable
[256, 356) 'tokenbuf'
[416, 516) 'token2buf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
stack-buffer-overflow src/imagew-pnm.c:282 in read_next_pam_token
Shadow bytes around the buggy address:
0x1000205aafc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205aafd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205aafe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205aaff0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000205ab000: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x1000205ab010: 00 00 00 00[04]f4 f4 f4 f2 f2 f2 f2 00 00 00 00
0x1000205ab020: 00 00 00 00 00 00 00 00 04 f4 f4 f4 f2 f2 f2 f2
0x1000205ab030: 00 00 00 00 00 00 00 00 00 00 00 00 04 f4 f4 f4
0x1000205ab040: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1000205ab050: f1 f1 f1 f1 03 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
0x1000205ab060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==96257==ABORTING

testcase:
https://github.com/bestshow/p0cs/blob/master/1071-stack-buffer-overflow-imagew-pnm

Author: ADLab of Venustech

[jsummers]

Should be fixed by commit bb321cf.