search

DentonW / DevIL

Developer's Image Library (DevIL) is a cross-platform image library utilizing a simple syntax to load, save, convert, manipulate, filter, and display a variety of images with ease. It is highly portable and has been ported to several platforms.
http://openil.sourceforge.net/
GNU Lesser General Public License v2.1
446 stars 137 forks source link

Invalid read / SIGSEGV #62

Open stze opened 7 years ago

stze commented 7 years ago

Following sample file crashes libdevil. The bug was found using examples/simple_example/simple.c with the sample file as input. Sample input file is fuzzed with american fuzzy lop http://lcamtuf.coredump.cx/afl/.

sample file hexdump:

00000000  00 0c 01 01 00 01 40 00  fe ff ff ff ff 80 1b ff  |......@.........|
00000010  0f ec ec ec 00 43 01 fc  ff fd 00 6d 00 0b 08 00  |.....C.....m....|
00000020  00 80 12 16 fe 01 ec 00  02 ff 0c 22 e7 e7 02 00  |..........."....|
00000030  00 01 fc e3 7f ff ff 14  16 fe 01 ec ff 00 0b 08  |................|
00000040  00 00 02 00 83 05 00 00  40 20 ff 7f 12 00 00 00  |........@ ......|
00000050  24 01 ec ff 00 0b 08 00  00 ec 01 01 00 00 00 00  |$...............|
00000060  00 00 00 0c 08 00 00 00  20 ec 01 ed 0a f4 ff 00  |........ .......|
00000070  80 00 ff ff ff 0c 00 14  02 00 83 0c 00 00 40 00  |..............@.|
00000080  00 9d 12 16 fe 01 ec ff  ff ff 0c 72 ef db 00 43  |...........r...C|
00000090  00 01 ec 01 ed 0a f4 ff  0c 00 00 ff ff ff 00     |...............|
0000009f

How to reproduce:

# clang -o simple examples/simple_example/simple.c -lIL -lILU -lILUT
# ./simple <sample-file>

gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73dd49f in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff73dd49f in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
#1  0x00007ffff78b2f6f in iFlipNewBuffer () from build/lib/x64/libIL.so
#2  0x00007ffff78b3090 in iGetFlipped () from build/lib/x64/libIL.so
#3  0x00007ffff78d59d1 in iSaveTargaInternal() () from build/lib/x64/libIL.so
#4  0x00007ffff78d5486 in ilSaveTargaF () from build/lib/x64/libIL.so
#5  0x00007ffff78d5418 in ilSaveTarga () from build/lib/x64/libIL.so
#6  0x00007ffff78ad961 in ilSaveImage () from build/lib/x64/libIL.so
#7  0x00000000004011c1 in main (argc=2, argv=0x7fffffffe5c8) at examples/simple_example/simple.c:83

valgrind:

==25690== Memcheck, a memory error detector                                                  
==25690== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==25690== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==25690== Command: build/lib/x64/simple findings/crashes/id:000002,sig:11,src:000008+000007,op:splice,rep:128
==25690== 
Width: 33023  Height: 65307  Depth: 1  Bpp: 16
==25690== Invalid read of size 8
==25690==    at 0x4C319BE: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50AEF6E: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690==  Address 0xb6e9810 is 6 bytes after a block of size 18,298,826 alloc'd
==25690==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50752A4: DefaultAllocFunc(unsigned long) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5075193: ialloc (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091B77: ilInitImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091FE3: ilTexImage_ (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091E62: ilTexImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0933: iReadColMapTga(TARGAHEAD*) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0764: iLoadTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0675: ilLoadTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D061C: ilLoadTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A7475: ilLoad (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A8314: ilLoadImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690== 
==25690== Invalid read of size 8
==25690==    at 0x4C319B0: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50AEF6E: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690==  Address 0xb6e9820 is 22 bytes after a block of size 18,298,826 alloc'd
==25690==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50752A4: DefaultAllocFunc(unsigned long) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5075193: ialloc (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091B77: ilInitImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091FE3: ilTexImage_ (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091E62: ilTexImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0933: iReadColMapTga(TARGAHEAD*) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0764: iLoadTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0675: ilLoadTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D061C: ilLoadTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A7475: ilLoad (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A8314: ilLoadImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690== 
==25690== Invalid write of size 8
==25690==    at 0x4C319B3: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50AEF6E: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690==  Address 0xb6e9808 is 18,298,824 bytes inside a block of size 18,298,826 alloc'd
==25690==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50752A4: DefaultAllocFunc(unsigned long) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5075193: ialloc (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091B77: ilInitImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091FE3: ilTexImage_ (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5091E62: ilTexImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0933: iReadColMapTga(TARGAHEAD*) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0764: iLoadTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D0675: ilLoadTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D061C: ilLoadTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A7475: ilLoad (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A8314: ilLoadImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690== 
==25690== Invalid write of size 2
==25690==    at 0x4C31A0B: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50AEF6E: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690==  Address 0xa568660 is 4,016,496 bytes inside an unallocated block of size 4,072,176 in arena "client"
==25690== 
==25690== Invalid read of size 2
==25690==    at 0x4C31A17: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50AEF6E: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690==  Address 0xc85d80a is 0 bytes after a block of size 18,298,826 alloc'd
==25690==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50752A4: DefaultAllocFunc(unsigned long) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5075193: ialloc (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AEECE: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690== 
==25690== Invalid read of size 2
==25690==    at 0x4C31A08: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50AEF6E: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690==  Address 0xc85d80e is 4 bytes after a block of size 18,298,826 alloc'd
==25690==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50752A4: DefaultAllocFunc(unsigned long) (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x5075193: ialloc (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AEECE: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690== 
==25690== 
==25690== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==25690==  Access not within mapped region at address 0xC85E000
==25690==    at 0x4C31A17: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25690==    by 0x50AEF6E: iFlipNewBuffer (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50AF08F: iGetFlipped (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D19D0: iSaveTargaInternal() (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1485: ilSaveTargaF (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50D1417: ilSaveTarga (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x50A9960: ilSaveImage (in /tmp/DevIL/build/lib/x64/libIL.so.1)
==25690==    by 0x4011C0: main (simple.c:83)
==25690==  If you believe this happened as a result of a stack
==25690==  overflow in your program's main thread (unlikely but
==25690==  possible), you can try to increase the size of the
==25690==  main thread stack using the --main-stacksize= flag.
==25690==  The main thread stack size used in this run was 8388608.
==25690== 
==25690== HEAP SUMMARY:
==25690==     in use at exit: 36,625,226 bytes in 96 blocks
==25690==   total heap usage: 105 allocs, 9 frees, 36,712,348 bytes allocated
==25690== 
==25690== LEAK SUMMARY:
==25690==    definitely lost: 0 bytes in 0 blocks
==25690==    indirectly lost: 0 bytes in 0 blocks
==25690==      possibly lost: 160 bytes in 2 blocks
==25690==    still reachable: 36,625,066 bytes in 94 blocks
==25690==         suppressed: 0 bytes in 0 blocks
==25690== Rerun with --leak-check=full to see details of leaked memory
==25690== 
==25690== For counts of detected and suppressed errors, rerun with: -v
==25690== ERROR SUMMARY: 8718 errors from 6 contexts (suppressed: 0 from 0)