There is a/an heap-buffer-overflow in function Image::Indexed::setTransp at image.cpp:563

[YourButterfly]

sam2p

version

sam2p 0.49.4

description

download link

https://github.com/pts/sam2p.git

---

DGifDecompressLine@cgif.c:1198-51___out-of-bounds-read

description

An issue was discovered in sam2p 0.49.4, There is a/an out-of-bounds-read in function DGifDecompressLine at cgif.c:1198-51

commandline

sam2p @@ try.bmp

source

None

bug report

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==535==ERROR: AddressSanitizer: SEGV on unknown address 0x62afbebec1f6 (pc 0x0000005671d1 bp 0x7fff5703c4b0 sp 0x7fff5703c320 T0)
==535==The signal is caused by a READ memory access.
    #0 0x5671d0 in DGifDecompressLine(CGIF::GifFileType*, unsigned char*, int) /home/pwd/git-fuzz/sam2p/./cgif.c:1198:51
    #1 0x564ced in CGIF::DGifGetLine(CGIF::GifFileType*, unsigned char*, int) /home/pwd/git-fuzz/sam2p/./cgif.c:923:9
    #2 0x56b473 in CGIF::DGifSlurp(CGIF::GifFileType*) /home/pwd/git-fuzz/sam2p/./cgif.c:1500:9
    #3 0x56c1b0 in in_gif_reader(Image::Loader::UFD*, SimBuffer::Flat const&) /home/pwd/git-fuzz/sam2p/in_gif.cpp:60:108
    #4 0x61813a in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/pwd/git-fuzz/sam2p/image.cpp:1435:14
    #5 0x518bb5 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/pwd/git-fuzz/sam2p/sam2p_main.cpp:1046:27
    #6 0x5285b5 in main /home/pwd/git-fuzz/sam2p/sam2p_main.cpp:1147:10
    #7 0x7f1e1c6d482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x41add9 in _start (/src/aflbuild/installed/bin/sam2p+0x41add9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/git-fuzz/sam2p/./cgif.c:1198:51 in DGifDecompressLine(CGIF::GifFileType*, unsigned char*, int)
==535==ABORTING

others

from fuzz project pwd-sam2p-sam2p-01
crash name pwd-sam2p-sam2p-01-00000014-20190306.gif
Auto-generated by pyspider at 2019-03-06 10:23:09

Image::Indexed::setTransp@image.cpp:563-35___heap-buffer-overflow

description

An issue was discovered in sam2p 0.49.4, There is a/an heap-buffer-overflow in function Image::Indexed::setTransp at image.cpp:563-35

commandline

sam2p @@ 1.pdf

source

None

bug report

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
=================================================================
==4183==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000043c0 at pc 0x0000005fcdc1 bp 0x7ffd2bf70b30 sp 0x7ffd2bf70b28
READ of size 1 at 0x60c0000043c0 thread T0
    #0 0x5fcdc0 in Image::Indexed::setTransp(unsigned char) /home/pwd/git-fuzz/sam2p/image.cpp:563:35
    #1 0x56c656 in in_gif_reader(Image::Loader::UFD*, SimBuffer::Flat const&) /home/pwd/git-fuzz/sam2p/in_gif.cpp:72:28
    #2 0x61813a in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/pwd/git-fuzz/sam2p/image.cpp:1435:14
    #3 0x518bb5 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/pwd/git-fuzz/sam2p/sam2p_main.cpp:1046:27
    #4 0x5285b5 in main /home/pwd/git-fuzz/sam2p/sam2p_main.cpp:1147:10
    #5 0x7f5cc964e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41add9 in _start (/src/aflbuild/installed/bin/sam2p+0x41add9)

Address 0x60c0000043c0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/git-fuzz/sam2p/image.cpp:563:35 in Image::Indexed::setTransp(unsigned char)
Shadow bytes around the buggy address:
  0x0c187fff8820: 00 00 00 00 00 00 00 03 fa fa fa fa fa fa fa fa
  0x0c187fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff8870: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0c187fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4183==ABORTING

others

from fuzz project pwd-sam2p-sam2p-01
crash name pwd-sam2p-sam2p-01-00000034-20190306.gif
Auto-generated by pyspider at 2019-03-06 18:39:22

poc.tar.gz

[YourButterfly]

failed to reproduce #38 (comment), but i found the other.

[pts]

These are 2 bug reports. I've split the 2nd one to #63.

[pts]

Thank you for reporting this! Fixed in cafd4b8.