Ubuntu
sam2p package

  1. Bug #1751729
  2. Comment #0

Comment 0 for bug 1751729

Revision history for this message
Zhu Liu (fantasy70) wrote :

Package: sam2p
Version: 0.49.2 - 0.49.4
Source code:https://github.com/pts/sam2p

Details:
In function LoadPCX at in_pcx.cpp (Line 241,sam2p version:0.49.4):
Key code that causes crashes:
 for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i;

Crash Information:
The output with address sanitizer enabled:

> ./sam2p 003-LoadPCX-heapover EPS: /dev/null
> This is sam2p 0.49.4.
> Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
> Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
> sam2p: Warning: PCX: PCX file appears to be truncated.
> sam2p: Warning: PCX: Error reading PCX colormap. Using grayscale.

> ==10136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000ae9e at pc 0x0000004329f6 bp 0x7fffffffd6d0 sp 0x7fffffffd6c0
> WRITE of size 1 at 0x60b00000ae9e thread T0
> #0 0x4329f5 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241
> #1 0x4329f5 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533
> #2 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
> #3 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
> #4 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
> #5 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #6 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
>
> 0x60b00000ae9e is located 2 bytes to the right of 108-byte region [0x60b00000ae30,0x60b00000ae9c)
> allocated by thread T0 here:
> #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
> #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35
> #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 LoadPCX
> Shadow bytes around the buggy address:
> 0x0c167fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
> =>0x0c167fff95d0: 00 00 00[04]fa fa fa fa fa fa fa fa 00 00 00 00
> 0x0c167fff95e0: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa
> 0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 07
> 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==10136==ABORTING