Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It is a heap-buffer-overflow vulnerability in pcxLoadRaster(in in_pcx.cpp:496) #32

Closed
fantasy7082 opened this issue Feb 23, 2018 · 1 comment

Comments

@fantasy7082
Copy link

Hi, i found a heap-buffer-overflow vulnerability in the sam2p 0.49.4.
reason:

for (i=0; i<cnt; i++) {

*image++=(byte)b;

The crash happened in the pcxLoadRaster function of the file in_pcx.cpp in line 496.
the details are below(ASAN):

./sam2p 009-heap EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
=================================================================
==20994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000017a21 at pc 0x000000432a06 bp 0x7fffffffd6f0 sp 0x7fffffffd6e0
WRITE of size 1 at 0x62a000017a21 thread T0
    #0 0x432a05 in pcxLoadRaster /root/sam2p_ASAN2/sam2p/in_pcx.cpp:496
    #1 0x432a05 in pcxLoadImage8 /root/sam2p_ASAN2/sam2p/in_pcx.cpp:335
    #2 0x432a05 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:209
    #3 0x432a05 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533
    #4 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
    #5 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
    #6 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
    #7 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)

0x62a000017a21 is located 0 bytes to the right of 22561-byte region [0x62a000012200,0x62a000017a21)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35
    #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/in_pcx.cpp:496 pcxLoadRaster
Shadow bytes around the buggy address:
  0x0c547fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fffaf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fffaf40: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fffaf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==20994==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/009-heap

@pts pts closed this as completed in 2ca32ec Feb 27, 2018
@pts
Copy link
Owner

pts commented Feb 27, 2018

Thank you for reporting this! Fixed in 2ca32ec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants