Ubuntu
sam2p package

  1. Bug #1751729
  2. Activity log

Activity log for bug #1751729

Date Who What changed Old value New value Message
2018-02-26 08:36:11 Zhu Liu bug added bug
2018-02-26 08:36:11 Zhu Liu attachment added PoC File https://bugs.launchpad.net/bugs/1751729/+attachment/5063315/+files/003-LoadPCX-heapover
2018-02-26 08:37:09 Zhu Liu information type Private Security Public
2018-02-26 09:00:30 Zhu Liu description Package: sam2p Version: 0.49.2 - 0.49.4 Source code:https://github.com/pts/sam2p Details: In function LoadPCX at in_pcx.cpp (Line 241,sam2p version:0.49.4): Key code that causes crashes: for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i; Crash Information: The output with address sanitizer enabled: > ./sam2p 003-LoadPCX-heapover EPS: /dev/null > This is sam2p 0.49.4. > Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA. > Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb. > sam2p: Warning: PCX: PCX file appears to be truncated. > sam2p: Warning: PCX: Error reading PCX colormap. Using grayscale. > ==10136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000ae9e at pc 0x0000004329f6 bp 0x7fffffffd6d0 sp 0x7fffffffd6c0 > WRITE of size 1 at 0x60b00000ae9e thread T0 > #0 0x4329f5 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 > #1 0x4329f5 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533 > #2 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427 > #3 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055 > #4 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148 > #5 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #6 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38) > > 0x60b00000ae9e is located 2 bytes to the right of 108-byte region [0x60b00000ae30,0x60b00000ae9c) > allocated by thread T0 here: > #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35 > #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55 > > SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 LoadPCX > Shadow bytes around the buggy address: > 0x0c167fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 > =>0x0c167fff95d0: 00 00 00[04]fa fa fa fa fa fa fa fa 00 00 00 00 > 0x0c167fff95e0: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa > 0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 07 > 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > ==10136==ABORTING Package: sam2p Version: 0.49.2 - 0.49.4 Source code:https://github.com/pts/sam2p Details: In function LoadPCX at in_pcx.cpp (Line 241,sam2p version:0.49.4): Key code that causes crashes:  for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i; Crash Information: The output with address sanitizer enabled: > ./sam2p 003-LoadPCX-heapover EPS: /dev/null > This is sam2p 0.49.4. > Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA. > Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb. > sam2p: Warning: PCX: PCX file appears to be truncated. > sam2p: Warning: PCX: Error reading PCX colormap. Using grayscale. > ==10136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000ae9e at pc 0x0000004329f6 bp 0x7fffffffd6d0 sp 0x7fffffffd6c0 > WRITE of size 1 at 0x60b00000ae9e thread T0 > #0 0x4329f5 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 > #1 0x4329f5 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533 > #2 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427 > #3 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055 > #4 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148 > #5 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #6 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38) > > 0x60b00000ae9e is located 2 bytes to the right of 108-byte region [0x60b00000ae30,0x60b00000ae9c) > allocated by thread T0 here: > #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35 > #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55 > > SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 LoadPCX > Shadow bytes around the buggy address: > 0x0c167fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 > =>0x0c167fff95d0: 00 00 00[04]fa fa fa fa fa fa fa fa 00 00 00 00 > 0x0c167fff95e0: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa > 0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 07 > 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > ==10136==ABORTING reference link:https://github.com/pts/sam2p/issues/18