Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
These attachments are available in the static archive:
Reported in version: 2.0.4 Reported for operating system, platform: Linux, x86_64
On 2019-05-09 06:44:04 +0000, pwd wrote:
Created attachment 3778 poc libsdl2 version libsdl2 2.0.9 others please send email to teamseri0us360@gmail.com if you have any questions. libc.so.60x94480@___SEGV_UNKNOW description An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is a null-pointer-dereference in function libc.so.60x94480 at commandline loadjpg @@ source // Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x7fffffffe460, size=2, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385 // 385 nread = fread(ptr, size, maxnum, context->hidden.stdio.fp); // (gdb) c 11 // Will ignore next 10 crossings of breakpoint 1. Continuing. // Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x0, size=1, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385 // 385 nread = fread(ptr, size, maxnum, context->hidden.stdio.fp); // (gdb) p ptr // $2 = (void *) 0x0 // (gdb) bug report ASAN:DEADLYSIGNAL ================================================================= ==4334==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f43724b0481 bp 0x000000000010 sp 0x7ffefadce5d8 T0) # 0 0x7f43724b0480 (/lib/x86_64-linux-gnu/libc.so.6+0x94480) # 1 0x7f4372494fd2 (/lib/x86_64-linux-gnu/libc.so.6+0x78fd2) # 2 0x7f437248a235 in fread (/lib/x86_64-linux-gnu/libc.so.6+0x6e235) # 3 0x7f43733e304d in stdio_read /src/libsdl2/src/file/SDL_rwops.c:385:13 # 4 0x7f4373947b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17 # 5 0x7f43739369bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 6 0x7f4373935f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 7 0x4ea140 in main /src/loadjpg.c:8:37 # 8 0x7f437243c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94480) ==4334==ABORTING others from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000008-20190418.jpg Auto-generated by pyspider at 2019-04-18 07:02:09
Created attachment 3778 poc
libsdl2 2.0.9
please send email to teamseri0us360@gmail.com if you have any questions.
An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is a null-pointer-dereference in function libc.so.60x94480 at
loadjpg @@
// Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x7fffffffe460, size=2, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385 // 385 nread = fread(ptr, size, maxnum, context->hidden.stdio.fp); // (gdb) c 11 // Will ignore next 10 crossings of breakpoint 1. Continuing. // Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x0, size=1, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385 // 385 nread = fread(ptr, size, maxnum, context->hidden.stdio.fp); // (gdb) p ptr // $2 = (void *) 0x0 // (gdb)
ASAN:DEADLYSIGNAL ================================================================= ==4334==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f43724b0481 bp 0x000000000010 sp 0x7ffefadce5d8 T0) # 0 0x7f43724b0480 (/lib/x86_64-linux-gnu/libc.so.6+0x94480) # 1 0x7f4372494fd2 (/lib/x86_64-linux-gnu/libc.so.6+0x78fd2) # 2 0x7f437248a235 in fread (/lib/x86_64-linux-gnu/libc.so.6+0x6e235) # 3 0x7f43733e304d in stdio_read /src/libsdl2/src/file/SDL_rwops.c:385:13 # 4 0x7f4373947b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17 # 5 0x7f43739369bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 6 0x7f4373935f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 7 0x4ea140 in main /src/loadjpg.c:8:37 # 8 0x7f437243c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94480) ==4334==ABORTING
from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000008-20190418.jpg Auto-generated by pyspider at 2019-04-18 07:02:09
On 2019-05-29 13:30:03 +0000, Hugo Lefeuvre wrote:
This was assigned CVE-2019-12217. I can confirm that this is an issue in SDL_image. The underlying bug is the same as # 4628 (CVE-2019-12221). It is also fixed by the same patch ([PATCH] pcx: do not write directly to row buffer). Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4628
This was assigned CVE-2019-12217.
I can confirm that this is an issue in SDL_image.
The underlying bug is the same as # 4628 (CVE-2019-12221). It is also fixed by the same patch ([PATCH] pcx: do not write directly to row buffer).
Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4628
On 2019-06-10 23:22:04 +0000, Sam Lantinga wrote:
This is fixed, thanks!
On 2019-06-19 10:52:26 +0000, Castro B wrote:
Thank you! Fix Castro B, http://sitederencontrebelge.be
Thank you! Fix
Castro B, http://sitederencontrebelge.be
On 2019-07-31 02:04:28 +0000, sam zain wrote:
very nice post. http://www.winmilliongame.com http://www.gtagame100.com http://www.subway-game.com http://www.zumagame100.com
The text was updated successfully, but these errors were encountered:
No branches or pull requests
SDLBugzilla commentedFeb 11, 2021
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-09 06:44:04 +0000, pwd wrote:
On 2019-05-29 13:30:03 +0000, Hugo Lefeuvre wrote:
On 2019-06-10 23:22:04 +0000, Sam Lantinga wrote:
On 2019-06-19 10:52:26 +0000, Castro B wrote:
On 2019-07-31 02:04:28 +0000, sam zain wrote:
The text was updated successfully, but these errors were encountered: