Description
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: HG 2.1
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-07 23:16:54 +0000, Radue wrote:
A heap-buffer overflow vulnerability was discovered in SDL-1.2.15 library.
Asan report:
=================================================================
==22885==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200006b7c8 at pc 0x7ff12191f442 bp 0x7ffc642d4e90 sp 0x7ffc642d4e88
READ of size 1 at 0x60200006b7c8 thread T0
# 0 0x7ff12191f441 in SDL_GetRGB /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_pixels.c:416:8
# 1 0x7ff12192d2fa in SDL_ConvertSurface /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:877:4
# 2 0x7ff121932a40 in SDL_DisplayFormat /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:946:9
# 3 0x4dba11 in LoadSprite /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite.c:41:9
# 4 0x4dbc8f in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite.c:98:7
# 5 0x7ff12060682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 6 0x435528 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x435528)0x60200006b7c8 is located 8 bytes to the left of 16-byte region [0x60200006b7d0,0x60200006b7e0)
freed by thread T0 here:
# 0 0x4bc212 in __interceptor_free (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x4bc212)
# 1 0x7ff1203c8dc7 (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xadc7)previously allocated by thread T0 here:
# 0 0x4bc4f2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x4bc4f2)
# 1 0x7ff1203ca2aa (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc2aa)SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_pixels.c:416 SDL_GetRGB
Shadow bytes around the buggy address:
0x0c04800056a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800056b0: fa fa 00 00 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c04800056c0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c04800056d0: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800056e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c04800056f0: fa fa fd fd fa fa fd fd fa[fa]fd fd fa fa fd fd
0x0c0480005700: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480005710: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480005720: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480005730: fa fa fd fd fa fa 00 fa fa fa 00 00 fa fa fd fd
0x0c0480005740: fa fa fd fd fa fa fd fd fa fa 07 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22885==ABORTING
On 2019-02-08 08:38:46 +0000, Radue wrote:
Created attachment 3605
PoC
On 2019-02-08 08:39:29 +0000, Radue wrote:
PoC: See attachment
Reproducing steps:
- Download SDL-1.2.15 library
- ./configure with Asan enabled
- ./make
- sudo make install
- cd examples
- ./configure with Asan enabled
- make
- ./testsprite PoC
On 2019-02-10 14:57:33 +0000, Radue wrote:
Assigned CVE-2019-7636 by MITRE.
On 2019-02-18 13:49:32 +0000, Petr Pisar wrote:
This POC BMP image has invalid number of colors (biClrUsed=3, biBitCount=0). In my case this results into invalid write when parsing the BMP file:
==7124== Invalid write of size 1
==7124== at 0x483F7B3: memmove (vg_replace_strmem.c:1271)
==7124== by 0x4AE06EA: _IO_file_xsgetn (in /usr/lib64/libc-2.29.so)
==7124== by 0x4AD4FE6: fread (in /usr/lib64/libc-2.29.so)
==7124== by 0x4859F70: stdio_read (SDL_rwops.c:336)
==7124== by 0x487EAF1: SDL_LoadBMP_RW (SDL_bmp.c:246)
==7124== by 0x401359: LoadSprite (testsprite.c:36)
==7124== by 0x401B25: main (testsprite.c:224)In case of the original report, SDL_GetRGB() function reads from
fmt->palette->colors[] array that is badly allocated because of the invalid number of colors.A fix for this issue is covered by patch for bug # 4500.
On 2019-02-18 15:53:08 +0000, Sam Lantinga wrote:
Fixed, thanks!
https://hg.libsdl.org/SDL/rev/19d8c3b9c251
https://hg.libsdl.org/SDL/rev/07c39cbbeacf