a null-pointer-dereference in function stdio_read

[SDLBugzilla]

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

• poc (poc.tar.gz, application/gzip, 2019-05-09 06:44:04 +0000, 257 bytes)

Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-05-09 06:44:04 +0000, pwd wrote:

Created attachment 3778
poc

libsdl2

version

libsdl2 2.0.9

others

please send email to  teamseri0us360@gmail.com if you have any questions.

---

libc.so.60x94480@___SEGV_UNKNOW

description

An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is a null-pointer-dereference in function libc.so.60x94480 at 

commandline

loadjpg  @@ 

source

// Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x7fffffffe460, size=2, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385
// 385         nread = fread(ptr, size, maxnum, context->hidden.stdio.fp);
// (gdb) c 11
// Will ignore next 10 crossings of breakpoint 1.  Continuing.

// Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x0, size=1, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385
// 385         nread = fread(ptr, size, maxnum, context->hidden.stdio.fp);
// (gdb) p ptr
// $2 = (void *) 0x0
// (gdb)

bug report

ASAN:DEADLYSIGNAL
=================================================================
==4334==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f43724b0481 bp 0x000000000010 sp 0x7ffefadce5d8 T0)
    # 0 0x7f43724b0480  (/lib/x86_64-linux-gnu/libc.so.6+0x94480)
    # 1 0x7f4372494fd2  (/lib/x86_64-linux-gnu/libc.so.6+0x78fd2)
    # 2 0x7f437248a235 in fread (/lib/x86_64-linux-gnu/libc.so.6+0x6e235)
    # 3 0x7f43733e304d in stdio_read /src/libsdl2/src/file/SDL_rwops.c:385:13
    # 4 0x7f4373947b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17
    # 5 0x7f43739369bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    # 6 0x7f4373935f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    # 7 0x4ea140 in main /src/loadjpg.c:8:37
    # 8 0x7f437243c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    # 9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94480) 
==4334==ABORTING

others

from fuzz project pwd-libsdl2-loadjpg-00
crash name pwd-libsdl2-loadjpg-00-00000008-20190418.jpg
Auto-generated by pyspider at 2019-04-18 07:02:09

On 2019-05-29 13:30:03 +0000, Hugo Lefeuvre wrote:

This was assigned CVE-2019-12217.

I can confirm that this is an issue in SDL_image.

The underlying bug is the same as # 4628 (CVE-2019-12221). It is also fixed by the same patch ([PATCH] pcx: do not write directly to row buffer).

Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4628

On 2019-06-10 23:22:04 +0000, Sam Lantinga wrote:

This is fixed, thanks!

On 2019-06-19 10:52:26 +0000, Castro B wrote:

Thank you! Fix

Castro B,
http://sitederencontrebelge.be

On 2019-07-31 02:04:28 +0000, sam zain wrote:

very nice post.
http://www.winmilliongame.com
http://www.gtagame100.com
http://www.subway-game.com
http://www.zumagame100.com