Closed
Description
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-09 06:39:31 +0000, pwd wrote:
Created attachment 3777
poclibsdl2
version
libsdl2 2.0.9others
please send email to teamseri0us360@gmail.com if you have any questions.
SDL_SetError_REAL @ SDL_error.c:65-18___SEGV_UNKNOW
description
An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an invalid free error in function SDL_SetError_REAL at SDL_error.c:65-18commandline
loadjpg @@source
61 if (fmt == NULL) return -1; 62 63 /* Copy in the key, mark error as valid */ 64 error = SDL_GetErrBuf(); > 65 error->error =1; 66 SDL_strlcpy((char *) error->key, fmt, sizeof(error->key)); 67 68 va_start(ap, fmt); 69 error->argc = 0; 70 while (*fmt) { // ./loadjpg_g /work/pwd-libsdl2-loadjpg-00/vuln/vuln/SDL_SetError_REAL\@SDL_error.c\:65-18___SEGV_UNKNOW // *** Error in `./loadjpg_g': free(): invalid next size (fast): 0x00000000019377b0 *** // ======= Backtrace: ========= // /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f81fd0757e5] // /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f81fd07e37a] // /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f81fd08253c] // /src/libsdl2/installed-debug/lib/libSDL2-2.0.so.0(+0x5fa1c)[0x7f81fd427a1c] // /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadPCX_RW+0x638)[0x7f81fd6dd7d8] // /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadTyped_RW+0x150)[0x7f81fd6d9d00] // ./loadjpg_g[0x4007e2] // /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f81fd01e830] // ./loadjpg_g[0x4006d9] // ======= Memory map: ======== // 00400000-00401000 r-xp 00000000 00:27 4750 /src/loadjpg_g // 00600000-00601000 r--p 00000000 00:27 4750 /src/loadjpg_g // 00601000-00602000 rw-p 00001000 00:27 4750 /src/loadjpg_gbug report
ASAN:DEADLYSIGNAL ================================================================= ==8792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4862d2f32f bp 0x7ffd94dc6270 sp 0x7ffd94dc5c20 T0) # 0 0x7f4862d2f32e in SDL_SetError_REAL /src/libsdl2/src/SDL_error.c:65:18 # 1 0x7f4862d315a1 in SDL_Error_REAL /src/libsdl2/src/SDL_error.c:172:16 # 2 0x7f4862d9d0c2 in stdio_read /src/libsdl2/src/file/SDL_rwops.c:387:9 # 3 0x7f4863301b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17 # 4 0x7f48632f09bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 5 0x7f48632eff41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 6 0x4ea140 in main /src/loadjpg.c:8:37 # 7 0x7f4861df682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 8 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/SDL_error.c:65:18 in SDL_SetError_REAL ==8792==ABORTINGothers
from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000023-20190419.jpg Auto-generated by pyspider at 2019-04-19 03:02:22
On 2019-05-28 15:00:38 +0000, Hugo Lefeuvre wrote:
This issue was assigned CVE-2019-12219.
I can also confirm that the bug is located in SDL_image.
This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).
Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4621.
On 2019-06-10 23:22:35 +0000, Sam Lantinga wrote:
This is fixed, thanks!
Metadata
Metadata
Assignees
Labels
No labels