This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-05 03:00:32 +0000, pwd wrote:
Created attachment 3774
poc
description
An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4 , There is a null-pointer-dereference in function IMG_LoadPCX_RW at IMG_pcx.c:178-24
commandline
source
174 }
175 } else
176 count = 1;
177 }
> 178 dst[i] = ch;
179 count--;
180 }
181 }
182
183 if(src_bits <= 4) {
// loadtif.c
// #include <stdio.h>
// #include <SDL.h>
// #include <SDL_image.h>
//
// int main(int argc, char * argv[]){
// IMG_Init(IMG_INIT_TIF);//IMG_INIT_JPG);IMG_INIT_PNG
// while(__AFL_LOOP(1000)){
// SDL_Surface * image = IMG_Load(argv[1]);
// if (image){
// SDL_FreeSurface(image);
// }
// }
// IMG_Quit();
// }bug report
ASAN:DEADLYSIGNAL
=================================================================
==13991==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd7bb11fabf bp 0x7ffe60cd2650 sp 0x7ffe60cd23e0 T0)
# 0 0x7fd7bb11fabe in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:178:24
# 1 0x7fd7bb10e9bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
# 2 0x7fd7bb10df41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
# 3 0x4ea0f0 in main /src/loadtif.c:8:37
# 4 0x7fd7b9c1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
# 5 0x4189e8 in _start (/src/aflbuild/installed/bin/loadtif+0x4189e8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/SDL2_image-2.0.4/IMG_pcx.c:178:24 in IMG_LoadPCX_RW
==13991==ABORTING
others
from fuzz project pwd-libsdl2-loadtif-00
crash name pwd-libsdl2-loadtif-00-00000004-20190419.tif
Auto-generated by pyspider at 2019-04-19 00:07:04
On 2019-06-10 22:26:56 +0000, Sam Lantinga wrote:
Fixed, thanks!
https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-05 03:00:32 +0000, pwd wrote:
On 2019-06-10 22:26:56 +0000, Sam Lantinga wrote: