Closed
Description
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-05 02:56:52 +0000, pwd wrote:
Created attachment 3773
pocIMG_LoadPCX_RW@IMG_pcx.c:178-24___heap-buffer-overflow
description
An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is a heap-buffer-overflow in function IMG_LoadPCX_RW at IMG_pcx.c:178-24commandline
loadtif @@source
174 } 175 } else 176 count = 1; 177 } > 178 dst[i] = ch; 179 count--; 180 } 181 } 182 183 if(src_bits <= 4) { // loadtif.c // #include <stdio.h> // #include <SDL.h> // #include <SDL_image.h> // // int main(int argc, char * argv[]){ // IMG_Init(IMG_INIT_TIF);//IMG_INIT_JPG);IMG_INIT_PNG // while(__AFL_LOOP(1000)){ // SDL_Surface * image = IMG_Load(argv[1]); // if (image){ // SDL_FreeSurface(image); // } // } // IMG_Quit(); // }bug report
================================================================= ==13979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x7fcdecb76a15 bp 0x7ffddb89ab30 sp 0x7ffddb89ab28 WRITE of size 1 at 0x60200000eff4 thread T0 # 0 0x7fcdecb76a14 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:178:24 # 1 0x7fcdecb639bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 2 0x7fcdecb62f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 3 0x4ea0f0 in main /src/loadtif.c:8:37 # 4 0x7fcdeb66982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 5 0x4189e8 in _start (/src/aflbuild/installed/bin/loadtif+0x4189e8) 0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4) allocated by thread T0 here: # 0 0x4b8b18 in malloc (/src/aflbuild/installed/bin/loadtif+0x4b8b18) # 1 0x7fcdec6de868 in SDL_malloc_REAL /src/libsdl2/src/stdlib/SDL_malloc.c:5328:11 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/SDL2_image-2.0.4/IMG_pcx.c:178:24 in IMG_LoadPCX_RW Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13979==ABORTINGothers
from fuzz project pwd-libsdl2-loadtif-00 crash name pwd-libsdl2-loadtif-00-00000000-20190418.tif Auto-generated by pyspider at 2019-04-19 00:07:03
On 2019-06-10 22:21:50 +0000, Sam Lantinga wrote:
Fixed, thanks!
https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
Metadata
Metadata
Assignees
Labels
No labels