New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
6 bugs found in sam2p #14
Comments
|
bug3 add: Line 285 in ac4dee3
|
|
Thank you very much for finding and reporting these bugs, your contribution is very much appreciated! I will fix the bugs based on your recommendations, and report progress on this issue. |
|
@fpbibi It would be easier to coordinate issues if you reported one case per issue report. Please consider doing so in the future, thanks. |
|
Ok, I'm sorry about that. @fgeek I will split bugs into different issues next time. |
|
@fgeek @pts Hello~~ It's my pleasure to add informations about bug4 and bug5 bug 4: In this fuction: Line 751 in ac4dee3
when getNcols returned 0 to ncols Line 753 in ac4dee3
--ncols made it to 0xffffffff, and caused a integer overflow. Line 756 in ac4dee3
So the loop will execute 0xffffffff times: Line 767 in ac4dee3
In the for(......), the parameter d is on the stack: Line 768 in ac4dee3
when the parameter ncols is 0xffffffff, d[i] will be an address on the stack.So it caused an attribute write to this address, which may lead to code execution. Thats why the program received a segment fault. firstly, getNcols returned 0 to ncols: in for(......), the parameter d is on the stack: i: from 0 to 0xffffffff, and we can write stack 0xffffffff times: Line 768 in ac4dee3
|
|
Line 77 in ac4dee3
Here, the address of xpmColors_ofs is an global array on the .bss area of the program, and when the program calculate the offset (v&65535)%xpmColors_mod, the answer is 0x450. xpmColors_dat is on the bss. So p = xpmColors_dat+xpmColors_ofs[(v&65535)%xpmColors_mod] will be an illegal address. If we designed the xpmColors_ofs[(v&65535)%xpmColors_mod] carefully.We can do attribute write. |
|
Fixed all these bugs and created a new binary release: https://github.com/pts/sam2p/releases/tag/v0.49.4 |








bug 1: integer-overflow(lead to heap-buffer-overflow)
poc: https://drive.google.com/open?id=0B4aWmtdznlVKaXJKbU13cTBCTTg
asan: https://drive.google.com/open?id=0B4aWmtdznlVKbkE1dEloaGdudms
method: ./sam2p crash EPS: /dev/null
reason:
sam2p/in_pcx.cpp
Line 165 in ac4dee3
after the subduction, w will be a negative number.
sam2p/in_pcx.cpp
Line 441 in ac4dee3
so pad will become larger when the program use it to sub w.
sam2p/in_pcx.cpp
Line 490 in ac4dee3
and when using pad, it will access the invalid memory before the allocated chunk.
patch: change w from signed to unsigned.
bug 2: heap-buffer-overflow
poc: https://drive.google.com/open?id=0B4aWmtdznlVKYzhJZjVZbDhBbG8
asan: https://drive.google.com/open?id=0B4aWmtdznlVKelhYUFFGOGRKaDQ
method: ./sam2p crash EPS: /dev/null
reason:
sam2p/in_pcx.cpp
Line 340 in ac4dee3
The crash happened in the pcxLoadImage24 function of the file in_pcx.cpp. The size of the Pic24 is w * h * planes.
But the loop time is nbytes=bperlinhplanes, in the loop, pix will add one each time.
It will cause a heap overflow when bperlin>w.
In this poc, bperlin=0x320,w=0x300.
patch: Compare the size of w and bperlin
bug 3: integer-overflow
poc: https://drive.google.com/open?id=0B4aWmtdznlVKT2pDeU5rdlV4RlU
asan: https://drive.google.com/open?id=0B4aWmtdznlVKb05nWTlkZlIwUm8
method: ./sam2p crash EPS: /dev/null
reason:
It crashed in function in_xpm_reader. The type of p is char*
When p[0]=0xa0,p[1]=0x20, p[0] will be recognized as a negative integer, it will make bin[0xffffffffffffa020]=I, which caused a crash.
patch: change p from signed to unsigned char*.
bug 4: integer-overflow
poc: https://drive.google.com/open?id=0B4aWmtdznlVKUGttRHhDU0REMjQ
asan: https://drive.google.com/open?id=0B4aWmtdznlVKNzBJazNId1RHYzg
method: ./sam2p crash EPS: /dev/null
reason:
sam2p/image.cpp
Line 751 in ac4dee3
In this poc, when getNcols returned 0 to ncols, --ncols made it to 0xffffffff, and caused a integer overflow. So the loop will excute 0xffffffff times, which caused the crash.
patch: Define Ncols as an int, or you can judge if ncols is NULL.
bug 5: out-of-bounds access
poc: https://drive.google.com/open?id=0B4aWmtdznlVKSUpaODdRN2w5ekE
asan: https://drive.google.com/open?id=0B4aWmtdznlVKYUxsSnVLUGNwa2c
method: ./sam2p crash EPS: /dev/null
reason:
sam2p/in_xpm.cpp
Line 77 in ac4dee3
In in_xpm.cpp's function parse_rgb(),xpmcolors_mod = 1109, but the size of xpmColors_ofs is 1098.
If v&65535%xpmColors_mod > 1098 , it will crash.
patch:
modified xpmColors_mode or expand the xpmColors_ofs.
bug 6: integer-overflow
poc: https://drive.google.com/open?id=0B4aWmtdznlVKVFgzSjNMdkJyV00
asan: https://drive.google.com/open?id=0B4aWmtdznlVKc1J3MS1LUmVBekU
method: ./sam2p crash EPS: /dev/null
reason:
sam2p/in_pcx.cpp
Line 362 in ac4dee3
In in_pcx.cpp's function pcxLoadImage24, Whplanes will cause integer-overflow.
patch:
check Whplanes' value before malloc.
The text was updated successfully, but these errors were encountered: