Ubuntu
sam2p package

a heap-buffer-overflow vulnerability in LoadPCX (in in_pcx.cpp)

Bug #1751729 reported by Zhu Liu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sam2p (Ubuntu)
New
Undecided
Unassigned

Bug Description

Package: sam2p
Version: 0.49.2 - 0.49.4
Source code:https://github.com/pts/sam2p

Details:
In function LoadPCX at in_pcx.cpp (Line 241,sam2p version:0.49.4):
Key code that causes crashes:
 for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i;

Crash Information:
The output with address sanitizer enabled:

> ./sam2p 003-LoadPCX-heapover EPS: /dev/null
> This is sam2p 0.49.4.
> Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
> Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
> sam2p: Warning: PCX: PCX file appears to be truncated.
> sam2p: Warning: PCX: Error reading PCX colormap. Using grayscale.

> ==10136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000ae9e at pc 0x0000004329f6 bp 0x7fffffffd6d0 sp 0x7fffffffd6c0
> WRITE of size 1 at 0x60b00000ae9e thread T0
> #0 0x4329f5 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241
> #1 0x4329f5 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533
> #2 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
> #3 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
> #4 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
> #5 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #6 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
>
> 0x60b00000ae9e is located 2 bytes to the right of 108-byte region [0x60b00000ae30,0x60b00000ae9c)
> allocated by thread T0 here:
> #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
> #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35
> #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 LoadPCX
> Shadow bytes around the buggy address:
> 0x0c167fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
> =>0x0c167fff95d0: 00 00 00[04]fa fa fa fa fa fa fa fa 00 00 00 00
> 0x0c167fff95e0: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa
> 0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 07
> 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==10136==ABORTING

reference link:https://github.com/pts/sam2p/issues/18

See original description
Tags: security
Revision history for this message
Zhu Liu (fantasy70) wrote :
information type: Private Security → Public
Zhu Liu (fantasy70)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.