Skip to content

invalid free error in function SDL_SetError_REAL #151

Closed
@SDLBugzilla

Description

@SDLBugzilla

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-05-09 06:39:31 +0000, pwd wrote:

Created attachment 3777
poc

libsdl2

version

libsdl2 2.0.9

others

please send email to  teamseri0us360@gmail.com if you have any questions.

SDL_SetError_REAL @ SDL_error.c:65-18___SEGV_UNKNOW

description

An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an invalid free error in function SDL_SetError_REAL at SDL_error.c:65-18

commandline

loadjpg  @@ 

source

  61     if (fmt == NULL) return -1;
  62 
  63     /* Copy in the key, mark error as valid */
  64     error = SDL_GetErrBuf();
>  65     error->error =1;
  66     SDL_strlcpy((char *) error->key, fmt, sizeof(error->key));
  67 
  68     va_start(ap, fmt);
  69     error->argc = 0;
  70     while (*fmt) {

// ./loadjpg_g /work/pwd-libsdl2-loadjpg-00/vuln/vuln/SDL_SetError_REAL\@SDL_error.c\:65-18___SEGV_UNKNOW
// *** Error in `./loadjpg_g': free(): invalid next size (fast): 0x00000000019377b0 ***
// ======= Backtrace: =========
// /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f81fd0757e5]
// /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f81fd07e37a]
// /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f81fd08253c]
// /src/libsdl2/installed-debug/lib/libSDL2-2.0.so.0(+0x5fa1c)[0x7f81fd427a1c]
// /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadPCX_RW+0x638)[0x7f81fd6dd7d8]
// /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadTyped_RW+0x150)[0x7f81fd6d9d00]
// ./loadjpg_g[0x4007e2]
// /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f81fd01e830]
// ./loadjpg_g[0x4006d9]
// ======= Memory map: ========
// 00400000-00401000 r-xp 00000000 00:27 4750                               /src/loadjpg_g
// 00600000-00601000 r--p 00000000 00:27 4750                               /src/loadjpg_g
// 00601000-00602000 rw-p 00001000 00:27 4750                               /src/loadjpg_g

bug report

ASAN:DEADLYSIGNAL
=================================================================
==8792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4862d2f32f bp 0x7ffd94dc6270 sp 0x7ffd94dc5c20 T0)
    # 0 0x7f4862d2f32e in SDL_SetError_REAL /src/libsdl2/src/SDL_error.c:65:18
    # 1 0x7f4862d315a1 in SDL_Error_REAL /src/libsdl2/src/SDL_error.c:172:16
    # 2 0x7f4862d9d0c2 in stdio_read /src/libsdl2/src/file/SDL_rwops.c:387:9
    # 3 0x7f4863301b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17
    # 4 0x7f48632f09bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    # 5 0x7f48632eff41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    # 6 0x4ea140 in main /src/loadjpg.c:8:37
    # 7 0x7f4861df682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    # 8 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/SDL_error.c:65:18 in SDL_SetError_REAL
==8792==ABORTING

others

from fuzz project pwd-libsdl2-loadjpg-00
crash name pwd-libsdl2-loadjpg-00-00000023-20190419.jpg
Auto-generated by pyspider at 2019-04-19 03:02:22

On 2019-05-28 15:00:38 +0000, Hugo Lefeuvre wrote:

This issue was assigned CVE-2019-12219.

I can also confirm that the bug is located in SDL_image.

This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).

Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4621.

On 2019-06-10 23:22:35 +0000, Sam Lantinga wrote:

This is fixed, thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions