Open EnchantedJohn opened 6 years ago
(gdb) bt
(gdb) i r
rax 0x0 0
rbx 0x0 0
rcx 0xd05130 13652272
rdx 0x3 3
rsi 0x0 0
rdi 0xd05eb0 13655728
rbp 0x7 0x7
rsp 0x7fffffff9b60 0x7fffffff9b60
r8 0x7fffffff9ba0 140737488329632
r9 0x34181a 3414042
r10 0x341819 3414041
r11 0x3 3
r12 0x0 0
r13 0xd05ee8 13655784
r14 0xd05eb0 13655728
r15 0x0 0
rip 0x597e80 0x597e80 <TransformPaletteC
(gdb) x/8i $pc
=> 0x597e80 <TransformPaletteC
Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway... ==162752==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000eea0 at pc 0x5c36e2 bp 0x7fff2a55cb00 sp 0x7fff2a55caf8 WRITE of size 4 at 0x60300000eea0 thread T0
#1 0x72e7d8 in bool flif_encode<FileIO>(FileIO&, std::vector<Image, std::allocator<Image> >&, std::vector<std::string, std::allocator<std::string> > const&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif-enc.cpp:914
#2 0x4acaf5 in encode_flif(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:344
#3 0x408c14 in main /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:763
#4 0x7f130a216f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#5 0x49f14f (/home/lx/5_7/ASAN/FLIF-master/src/flif+0x49f14f)
0x60300000eea0 is located 16 bytes inside of 32-byte region [0x60300000ee90,0x60300000eeb0) freed by thread T0 here:
#1 0x50591a in __gnu_cxx::new_allocator<std::pair<int, int> >::deallocate(std::pair<int, int>*, unsigned long) /usr/include/c++/4.9/ext/new_allocator.h:110
#2 0x50591a in std::allocator_traits<std::allocator<std::pair<int, int> > >::deallocate(std::allocator<std::pair<int, int> >&, std::pair<int, int>*, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:514
#3 0x50591a in std::_Vector_base<std::pair<int, int>, std::allocator<std::pair<int, int> > >::_M_deallocate(std::pair<int, int>*, unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:178
#4 0x50591a in ~_Vector_base /usr/include/c++/4.9/bits/stl_vector.h:160
#5 0x50591a in ~vector /usr/include/c++/4.9/bits/stl_vector.h:425
#6 0x50591a in getRanges(Image const&) image/color_range.cpp:8
previously allocated by thread T0 here:
#1 0x5076aa in __gnu_cxx::new_allocator<std::pair<int, int> >::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#2 0x5076aa in std::allocator_traits<std::allocator<std::pair<int, int> > >::allocate(std::allocator<std::pair<int, int> >&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:488
#3 0x5076aa in std::_Vector_base<std::pair<int, int>, std::allocator<std::pair<int, int> > >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#4 0x5076aa in void std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >::_M_emplace_back_aux<std::pair<int, int> >(std::pair<int, int>&&) /usr/include/c++/4.9/bits/vector.tcc:412
#5 0x60200000eddf (+0xeddf)
SUMMARY: AddressSanitizer: heap-use-after-free transform/palette_C.hpp:130 TransformPaletteC
CVE-2018-10972 has been assigned for this issue (not requested by me).
@EnchantedJohn include sample PoC file to this issue e.g. inside zip file.
@jonsneyers FLIF is marked for autoremoval from Debian testing on Sat 09 Jun 2018 as this is considered a grave security issue...
Thanks,guys,I will close this issue.
Err what @EnchantedJohn. Why did you close this? This is not fixed.
What? The problem is still there on openSUSE Tumbleweed. If you don't plan on fixing this and the other security issues, please tell for I need to know how to proceed.
@luigino I don't think that upstream has commented on this case. This should be reopened and fixed. I personally don't have skills to create a PR.
@fgeek right, sorry. @EnchantedJohn why did you close this?
@jonsneyers If these issues (#503, #501, #509, #505, #504, #502 and others from @EnchantedJohn, plus #498) can't be addressed in the short term, I'll have to pull FLIF from Debian for the moment. The bugs are grave, and without fixing them the package won't make it to Debian testing (or stable) anyway. This doesn't mean the package can't be made part of Debian again in the future, after bringing it in better shape. I prefer to pull it before any other package sets a dependency on it.
@paride I don't think the developer cares. Anyway the package was pulled from openSUSE as well.
The third Error is also Segmentation fault .I also use AFL tools The error is : Starting program: /home/lx/5_7/flif/flif/src/flif -e crashes/id\:000010\,sig\:11\,src\:000110\,op\:havoc\,rep\:2 test5.flif --overwrite Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...
Program received signal SIGSEGV, Segmentation fault. TransformPaletteC::save (this=, srcRanges=0xd05eb0, rac=...) at transform/palette_C.hpp:156
156 coder.write_int(0, srcRanges->max(p)-min-remaining, CPalette_vector[p][i]-min);