Public bug reported:
Package: sam2p
Version: 0.49.2 - 0.49.4
Source code:https://github.com/pts/sam2p
Details:
In function LoadPCX at in_pcx.cpp (Line 241,sam2p version:0.49.4):
Key code that causes crashes:
for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i;
Crash Information:
The output with address sanitizer enabled:
> ./sam2p 003-LoadPCX-heapover EPS: /dev/null
> This is sam2p 0.49.4.
> Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
> Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM
> GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
> sam2p: Warning: PCX: PCX file appears to be truncated.
> sam2p: Warning: PCX: Error reading PCX colormap. Using grayscale.
> ==10136==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60b00000ae9e at pc 0x0000004329f6 bp 0x7fffffffd6d0 sp 0x7fffffffd6c0
> WRITE of size 1 at 0x60b00000ae9e thread T0
> #0 0x4329f5 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241
> #1 0x4329f5 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533
> #2 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&,
> char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
> #3 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const*
> const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
> #4 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
> #5 0x7ffff6ac082f in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #6 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
>
> 0x60b00000ae9e is located 2 bytes to the right of 108-byte region
> [0x60b00000ae30,0x60b00000ae9c)
> allocated by thread T0 here:
> #0 0x7ffff6f02602 in malloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
> #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35
> #2 0x41df2a in operator new[](unsigned long)
> /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 LoadPCX
> Shadow bytes around the buggy address:
> 0x0c167fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff95c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
> =>0x0c167fff95d0: 00 00 00[04]fa fa fa fa fa fa fa fa 00 00 00 00
> 0x0c167fff95e0: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa
> 0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 07
> 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==10136==ABORTING
** Affects: sam2p (Ubuntu)
Importance: Undecided
Status: New
** Tags: security
** Attachment added: "PoC File"
https://bugs.launchpad.net/bugs/1751729/+attachment/5063315/+files/003-LoadPCX-heapover
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1751729
Title:
a heap-buffer-overflow vulnerability in LoadPCX (in in_pcx.cpp)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sam2p/+bug/1751729/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
