Closed
Description
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-09 06:46:23 +0000, pwd wrote:
Created attachment 3779
poclibsdl2
version
libsdl2 2.0.9others
please send email to teamseri0us360@gmail.com if you have any questions.
SDL_FreePalette_REAL@SDL_pixels.c:731-9___SEGV_UNKNOW
description
An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an out-of-bounds read in function SDL_FreePalette_REAL at SDL_pixels.c:731-9commandline
loadjpg @@source
727 if (!palette) { 728 SDL_InvalidParamError("palette"); 729 return; 730 } > 731 if (--palette->refcount > 0) { 732 return; 733 } 734 SDL_free(palette->colors); 735 SDL_free(palette); 736 } // Breakpoint 2, SDL_FreePalette_REAL (palette=0x60300000efe0) at /src/libsdl2/src/video/SDL_pixels.c:731 // 731 if (--palette->refcount > 0) { // (gdb) p palette // $4 = (SDL_Palette *) 0x60300000efe0 // (gdb) c // Continuing. // Breakpoint 2, SDL_FreePalette_REAL (palette=0xe7f301010004ff0b) at /src/libsdl2/src/video/SDL_pixels.c:731 // 731 if (--palette->refcount > 0) { // (gdb) p palette // $5 = (SDL_Palette *) 0xe7f301010004ff0b // (gdb)bug report
ASAN:DEADLYSIGNAL ================================================================= ==3914==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f61229a1ea0 bp 0x0c0c00001df9 sp 0x7fffa5db4690 T0) # 0 0x7f61229a1e9f in SDL_FreePalette_REAL /src/libsdl2/src/video/SDL_pixels.c:731:9 # 1 0x7f61229a1e9f in SDL_SetPixelFormatPalette_REAL /src/libsdl2/src/video/SDL_pixels.c:685 # 2 0x7f61229b3f96 in SDL_SetSurfacePalette_REAL /src/libsdl2/src/video/SDL_surface.c:221:9 # 3 0x7f61229b3f96 in SDL_FreeSurface_REAL /src/libsdl2/src/video/SDL_surface.c:1233 # 4 0x7f6122d070b1 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:252:13 # 5 0x7f6122cf49bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 6 0x7f6122cf3f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 7 0x4ea140 in main /src/loadjpg.c:8:37 # 8 0x7f61217fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/video/SDL_pixels.c:731:9 in SDL_FreePalette_REAL ==3914==ABORTINGothers
from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000001-20190418.jpg Auto-generated by pyspider at 2019-04-18 06:32:03
On 2019-05-28 14:52:21 +0000, Hugo Lefeuvre wrote:
This issue was assigned CVE-2019-12220.
I confirm that the bug is located in SDL_image.
This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).
On 2019-05-28 14:52:54 +0000, Hugo Lefeuvre wrote:
On 2019-06-10 23:21:42 +0000, Sam Lantinga wrote:
This is fixed, thanks!
Metadata
Metadata
Assignees
Labels
No labels