CVE-2023-40889
A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.
ZBar 0.23.90
https://github.com/mchehab/zbar/releases/tag/0.23.90
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000e1bf6 at pc 0x7f22e913836b bp 0x7fff893b6590 sp 0x7fff893b6588
READ of size 1 at 0x6040000e1bf6 thread T0
#0 0x7f22e913836a in qr_reader_match_centers /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:3903:18
#1 0x7f22e913a2ef in _zbar_qr_decode /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9
#2 0x7f22e910f004 in zbar_scan_image /home/fuzzer/ramdisk_fuzz/ZBar/zbar/img_scanner.c:806:5
#3 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16
#4 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk_fuzz/libfuzz/src/fuzz.cpp:97
#5 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42fb77)
#6 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43a3e4)
#7 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43ba4f)
#8 0x42ae0c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42ae0c)
#9 0x41dc82 in main (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dc82)
#10 0x7f22e4ea1bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41dd49 in _start (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dd49)
0x6040000e1bf6 is located 0 bytes to the right of 38-byte region [0x6040000e1bd0,0x6040000e1bf6)
allocated by thread T0 here:
#0 0x513488 in calloc (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x513488)
#1 0x7f22e9133b0f in qr_reader_match_centers /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:3895:25
#2 0x7f22e913a2ef in _zbar_qr_decode /home/fuzzer/ramdisk_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9
#3 0x7f22e910f004 in zbar_scan_image /home/fuzzer/ramdisk_fuzz/ZBar/zbar/img_scanner.c:806:5
#4 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16
#5 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk_fuzz/libfuzz/src/fuzz.cpp:97
#6 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42fb77)
#7 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43a3e4)
#8 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x43ba4f)
#9 0x42ae0c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x42ae0c)
#10 0x41dc82 in main (/home/fuzzer/ramdisk_fuzz/libfuzz/fuzzer+0x41dc82)
#11 0x7f22e4ea1bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310