There is an invalid free in Mapping::DoubleHash::clear that leads to a Segmentation fault at sam2p 0.49.4. A crafted input will lead to denial of service attack.
Steps to Reproduce:
./sam2p 017-freenomalloc-mapping EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 017-freenomalloc-mapping
sam2p: Notice: writeTTT: using template: l23ind1
sam2p: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
=================================================================
==20959==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x6020000082f0 in thread T0
#0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x431348 in Mapping::DoubleHash::clear() /root/sam2p_ASAN2/sam2p/mapping.cpp:197
#2 0x43150e in Mapping::DoubleHash15::~DoubleHash15() /root/sam2p_ASAN2/sam2p/mapping.cpp:305
#3 0x431558 in Mapping::DoubleHash15::~DoubleHash15() /root/sam2p_ASAN2/sam2p/mapping.cpp:307
#4 0x43f7ac in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:454
#5 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
#6 0x43f9d8 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.hpp:223
#7 0x43f9d8 in MiniPS::Array::free() /root/sam2p_ASAN2/sam2p/minips.cpp:376
#8 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
#9 0x43f6ff in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:451
#10 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
#11 0x4043e6 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1103
#12 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
#13 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==20959==ABORTING
Thank you for reporting this! I'm not able to reproduce this bug as of a6621e9. Valgrind doesn't print any errors:
==6510==
==6510== HEAP SUMMARY:
==6510== in use at exit: 0 bytes in 0 blocks
==6510== total heap usage: 2,980 allocs, 2,980 frees, 372,737 bytes allocated
==6510==
==6510== All heap blocks were freed -- no leaks are possible
==6510==
==6510== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
--6510--
--6510-- used_suppression: 2 glibc-2.5.x-on-SUSE-10.2-(PPC)-2a
==6510==
==6510== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
If you can reproduce this bug with the latest sam2p commit and Valgrind, please reopen this issue.
There is an invalid free in Mapping::DoubleHash::clear that leads to a Segmentation fault at sam2p 0.49.4. A crafted input will lead to denial of service attack.
Steps to Reproduce:
POC FILE:https://github.com/fantasy7082/image_test/blob/master/017-freenomalloc-mapping
The text was updated successfully, but these errors were encountered: