ERROR-Segmentation fault

[EnchantedJohn]

I used the AFL tool to find the bug of the image_load_pnm() method, error is : Starting program: /home/lx/5_7/flif/flif/src/flif -e id\:000003\,sig\:11\,src\:000049\,op\:havoc\,rep\:2 test6.flif Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway... Error: could not allocate enough memory for image buffer.

Program received signal SIGSEGV, Segmentation fault. 0x00000000004ac45a in set (x=, c=, r=0, p=0, this=0x7fffffffdfb0) at image/image.hpp:906 906 planes[p]->set(r,c,x);

The following is which is the gdb stack

Then the following is gdb's instructions and registers

(gdb) x/i $pc
=> 0x4ac45a <image_load_pnm(char const, Image&)+5210>: mov (%rdi),%r10 (gdb) i r rax 0xffffffff 4294967295 rbx 0xffffffff 4294967295 rcx 0x0 0 rdx 0x0 0 rsi 0x0 0 rdi 0x0 0 rbp 0x1 0x1 rsp 0x7fffffffdd90 0x7fffffffdd90 r8 0x7ffff7fca780 140737353918336 r9 0x7461636f6c6c6120 8386093311352135968 r10 0x7fffffffdb50 140737488345936 r11 0x246 582 r12 0x0 0 r13 0x80 128 r14 0x7fffffffdfb0 140737488347056 r15 0xfffffe44 4294966852 rip 0x4ac45a 0x4ac45a <image_load_pnm(char const, Image&)+5210> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0

[EnchantedJohn]

(gdb) bt

0 0x00000000004ac45a in set (x=, c=, r=0, p=0, this=0x7fffffffdfb0) at image/image.hpp:906

1 image_load_pnm (filename=, filename@entry=0x7fffffffe5bc "id:000003,sig:11,src:000049,op:havoc,rep:2", image=...) at image/image-pnm.cpp:81

2 0x0000000000479a9b in Image::load (this=this@entry=0x7fffffffdfb0, filename=, filename@entry=0x7fffffffe5bc "id:000003,sig:11,src:000049,op:havoc,rep:2", options=...) at image/image.cpp:54

3 0x0000000000454339 in encode_load_input_images (argc=, argc@entry=2, argv=argv@entry=0x7fffffffe318, images=std::vector of length 0, capacity 0, options=...) at flif.cpp:230

4 0x0000000000468f35 in handle_encode (argc=2, argv=0x7fffffffe318, images=std::vector of length 0, capacity 0, options=...) at flif.cpp:356

5 0x0000000000407c03 in main (argc=, argv=0x7fffffffe318) at flif.cpp:763

[EnchantedJohn]

then i will provide the ASAN data： Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway... ==195378==WARNING: AddressSanitizer failed to allocate 0x0053ffffffbc bytes ==195378==AddressSanitizer's allocator is terminating the process instead of returning 0 ==195378==If you don't like this behavior set allocator_may_return_null=1 ==195378==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)

0 0x7f463a9b0d93 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x59d93)

#1 0x7f463a9b4cd3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5dcd3)
#2 0x7f463a970831 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x19831)
#3 0x7f463a9b3531 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5c531)
#4 0x7f463a9ac107 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x55107)
#5 0x4e3a45 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#6 0x4e3a45 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:488
#7 0x4e3a45 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#8 0x4e3a45 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
#9 0x4e3a45 in _Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
#10 0x4e3a45 in vector /usr/include/c++/4.9/bits/stl_vector.h:291
#11 0x4e3a45 in Plane image/image.hpp:231
#12 0x4e3a45 in std::unique_ptr<Plane<unsigned char>, std::default_delete<Plane<unsigned char> > > make_unique<Plane<unsigned char>, unsigned long&, unsigned long&, int, int&>(unsigned long&, unsigned long&, int&&, int&) image/image.hpp:159
#13 0x4e8582 in Image::real_init(bool) image/image.hpp:728
#14 0x4f6c65 in Image::init(unsigned int, unsigned int, int, int, int) image/image.hpp:687
#15 0x4f6c65 in image_load_pnm(char const*, Image&) image/image-pnm.cpp:75
#16 0x4c3dea in Image::load(char const*, metadata_options&) image/image.cpp:54
#17 0x4a25b2 in encode_load_input_images(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:230
#18 0x4b30d4 in handle_encode(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:356
#19 0x408c14 in main /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:763
#20 0x7f4639e5ff44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#21 0x49f14f (/home/lx/5_7/ASAN/FLIF-master/src/flif+0x49f14f)

[EnchantedJohn]

gdb-peda$ x/x 0x0053ffffffbc 0x53ffffffbc: Cannot access memory at address 0x53ffffffbc

then I use gdb want to access 0x0053ffffffbc.but I can't. then I read the image-pnm.cpp.I find the reason of this error。 I think it is Buffer OverFlow

[fgeek]

CVE-2018-10971 has been assigned for this issue (not requested by me).

[fgeek]

@EnchantedJohn include sample PoC file to this issue e.g. inside zip file.

[EnchantedJohn]

Thanks,I will close it.

[fgeek]

@EnchantedJohn You have misunderstood something. You should not close these issue reports before these have been fixed.