ASAN:DEADLYSIGNAL
=================================================================
==7803==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041c6ad bp 0x7ffc915be8c0 sp 0x7ffc915be020 T0)
# 0 0x41c6ac in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/src/aflbuild/installed/bin/loadjpg+0x41c6ac)
# 1 0x4b89bc in __interceptor_cfree.localalias.0 (/src/aflbuild/installed/bin/loadjpg+0x4b89bc)
# 2 0x7f82c6095ae7 in SDL_free_REAL /src/libsdl2/src/stdlib/SDL_malloc.c:5372:5
# 3 0x7f82c61c7f01 in SDL_FreePalette_REAL /src/libsdl2/src/video/SDL_pixels.c:734:5
# 4 0x7f82c61c7f01 in SDL_SetPixelFormatPalette_REAL /src/libsdl2/src/video/SDL_pixels.c:685
# 5 0x7f82c61d9f96 in SDL_SetSurfacePalette_REAL /src/libsdl2/src/video/SDL_surface.c:221:9
# 6 0x7f82c61d9f96 in SDL_FreeSurface_REAL /src/libsdl2/src/video/SDL_surface.c:1233
# 7 0x7f82c652d0b1 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:252:13
# 8 0x7f82c651a9bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
# 9 0x7f82c6519f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
# 10 0x4ea140 in main /src/loadjpg.c:8:37
# 11 0x7f82c502082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
# 12 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/aflbuild/installed/bin/loadjpg+0x41c6ac) in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==7803==ABORTING
On 2019-05-25 11:32:37 +0000, Hugo Lefeuvre wrote:
Created attachment 3797
CVE-2019-12221: patch proposal (pcx: do not write directly to row buffer)
Patch proposal in attachment.
I can provide more detailed explanations if needed.
On 2019-05-25 11:35:20 +0000, Hugo Lefeuvre wrote:
(In reply to Hugo Lefeuvre from comment # 1)
Created attachment 3797 [details]
CVE-2019-12221: patch proposal (pcx: do not write directly to row buffer)
Patch proposal in attachment.
I can provide more detailed explanations if needed.
(rationale is in the patch's header, putting it here as well for readability)
The PCX format specifies pcxh.BytesPerLine, which represents the size of a
single plane's scanline in bytes. Valid PCX images should have
pcxh.BytesPerLine >= surface->pitch.
pcxh.BytesPerLine and surface->pitch can legitimately be different because
pcxh.BytesPerLine is padded to be a multiple of machine word length (where
file was created).
If src_bits == 8 we directly read a whole scanline from src to row. This is
a problem in the case where bpl > surface->pitch because row is too small.
This allows attacker to perform unlimited OOB write on the heap.
remove pointless check bpl > surface->pitch, this is a valid situation
make sure we always read into buf which is big enough
in the case where src_bits == 8: copy these bytes back to row afterwards
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-09 06:49:35 +0000, pwd wrote:
On 2019-05-25 11:32:37 +0000, Hugo Lefeuvre wrote:
On 2019-05-25 11:35:20 +0000, Hugo Lefeuvre wrote:
On 2019-06-10 22:41:25 +0000, Sam Lantinga wrote:
The text was updated successfully, but these errors were encountered: