Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid free in Mapping::DoubleHash::clear (in mapping.cpp:197) #30

Closed
fantasy7082 opened this issue Feb 23, 2018 · 1 comment
Closed

Comments

@fantasy7082
Copy link

There is an invalid free in Mapping::DoubleHash::clear that leads to a Segmentation fault at sam2p 0.49.4. A crafted input will lead to denial of service attack.
Steps to Reproduce:

./sam2p 017-freenomalloc-mapping EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 017-freenomalloc-mapping
sam2p: Notice: writeTTT: using template: l23ind1
sam2p: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
=================================================================
==20959==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x6020000082f0 in thread T0
    #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x431348 in Mapping::DoubleHash::clear() /root/sam2p_ASAN2/sam2p/mapping.cpp:197
    #2 0x43150e in Mapping::DoubleHash15::~DoubleHash15() /root/sam2p_ASAN2/sam2p/mapping.cpp:305
    #3 0x431558 in Mapping::DoubleHash15::~DoubleHash15() /root/sam2p_ASAN2/sam2p/mapping.cpp:307
    #4 0x43f7ac in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:454
    #5 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
    #6 0x43f9d8 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.hpp:223
    #7 0x43f9d8 in MiniPS::Array::free() /root/sam2p_ASAN2/sam2p/minips.cpp:376
    #8 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
    #9 0x43f6ff in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:451
    #10 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
    #11 0x4043e6 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1103
    #12 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
    #13 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==20959==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/017-freenomalloc-mapping

@pts
Copy link
Owner

pts commented Feb 27, 2018

Thank you for reporting this! I'm not able to reproduce this bug as of a6621e9. Valgrind doesn't print any errors:

==6510== 
==6510== HEAP SUMMARY:
==6510==     in use at exit: 0 bytes in 0 blocks
==6510==   total heap usage: 2,980 allocs, 2,980 frees, 372,737 bytes allocated
==6510== 
==6510== All heap blocks were freed -- no leaks are possible
==6510== 
==6510== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
--6510-- 
--6510-- used_suppression:      2 glibc-2.5.x-on-SUSE-10.2-(PPC)-2a
==6510== 
==6510== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)

If you can reproduce this bug with the latest sam2p commit and Valgrind, please reopen this issue.

@pts pts closed this as completed Feb 27, 2018
pts pushed a commit that referenced this issue Feb 27, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants