Skip to content

double free when load bmp image #184

Closed
@xiaoqx

Description

@xiaoqx

a double free when load a crafted image using cimg.
the tested code commit is 0e9fe67
reports by the address sanitizer as follows:

==6191==ERROR: AddressSanitizer: attempting double-free on 0x62100001a500 in thread T0:
#0 0x7f1be4f702ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x7f1be40cbc55 in _IO_default_finish (/lib/x86_64-linux-gnu/libc.so.6+0x7bc55)
#2 0x7f1be40bd29e in fclose (/lib/x86_64-linux-gnu/libc.so.6+0x6d29e)
#3 0x7f1be4f6f7cd in fclose (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x977cd)
#4 0x40a518 in cimg_library::cimg::fclose(_IO_FILE*) ../CImg.h:6187
#5 0x49b051 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48467
#6 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280
#7 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122
#8 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514
#9 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161
#10 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25
#11 0x7f1be407082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

0x62100001a500 is located 0 bytes inside of 4096-byte region [0x62100001a500,0x62100001b500)
freed by thread T0 here:
#0 0x7f1be4f702ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x7f1be40cbe3c in _IO_default_finish (/lib/x86_64-linux-gnu/libc.so.6+0x7be3c)

previously allocated by thread T0 here:
#0 0x7f1be4f70602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7f1be40bd1d4 in _IO_file_doallocate (/lib/x86_64-linux-gnu/libc.so.6+0x6d1d4)

SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==6191==ABORTING

poc:
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-double-free-1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions