ERROR: AddressSanitizer: SEGV on unknown address 0x61f00002ec7c

[EnchantedJohn]

I found another Bug of FLIF.

the error is : Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway... ASAN:SIGSEGV ==91270==ERROR: AddressSanitizer: SEGV on unknown address 0x61f00002ec7c (pc 0x0000005c35fd sp 0x7ffff4203c00 bp 0x7ffff4203d60 T0)

0 0x5c35fc in TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&) transform/palette_C.hpp:130

#1 0x72e7d8 in bool flif_encode<FileIO>(FileIO&, std::vector<Image, std::allocator<Image> >&, std::vector<std::string, std::allocator<std::string> > const&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif-enc.cpp:914
#2 0x4acaf5 in encode_flif(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:344
#3 0x408c14 in main /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:763
#4 0x7fb8c0c43f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#5 0x49f14f (/home/lx/5_7/ASAN/FLIF-master/src/flif+0x49f14f)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV transform/palette_C.hpp:130 TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&) ==91270==ABORTING

[EnchantedJohn]

Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x1 RBX: 0x7f7f RCX: 0xd17540 --> 0x0 RDX: 0x0 RSI: 0x0 RDI: 0xd16980 --> 0x0 RBP: 0xce8690 --> 0x4b8d40 (<StaticColorRanges::~StaticColorRanges()>: lea rsp,[rsp-0x98]) RSP: 0x7fffffffdb70 --> 0xd16968 --> 0x0 RIP: 0x54d222 (<TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3810>: mov DWORD PTR [r11+rbx4],edx) R8 : 0x2 R9 : 0x7ffff76837b8 --> 0xd17570 --> 0x0 R10: 0xd16960 --> 0xfeff00007f7f R11: 0xd16980 --> 0x0 R12: 0xd16878 --> 0xd16960 --> 0xfeff00007f7f R13: 0x7fffffffdbc0 --> 0x7fffffffe010 --> 0xd16550 --> 0xd05118 ("Channel_Compact") R14: 0x7fffffffdbbc --> 0xffffe01000007f7f R15: 0x0 EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x54d218 <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3800>: movsxd rbx,DWORD PTR [r10+rax4] 0x54d21c <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3804>: lea eax,[rdx+0x1] 0x54d21f <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3807>: cmp rax,r8 => 0x54d222 <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3810>: mov DWORD PTR [r11+rbx4],edx 0x54d226 <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3814>: mov rdx,rax 0x54d229 <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3817>:
jb 0x54d1dd <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3741>: jb 0x54d1dd <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3741> 0x54d22b <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3819>: nop 0x54d22c <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3820>: lea rsp,[rsp-0x98] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdb70 --> 0xd16968 --> 0x0 0008| 0x7fffffffdb78 --> 0xd16878 --> 0xd16960 --> 0xfeff00007f7f 0016| 0x7fffffffdb80 --> 0x4c97b0 (<TransformPaletteC::init(ColorRanges const*)>: lea rsp,[rsp-0x98]) 0024| 0x7fffffffdb88 --> 0x7fffffffdbc8 --> 0x7fff00000000 0032| 0x7fffffffdb90 --> 0xd16901 --> 0x0 0040| 0x7fffffffdb98 --> 0xd16840 --> 0xce8690 --> 0x4b8d40 (<StaticColorRanges::~StaticColorRanges()>: lea rsp,[rsp-0x98]) 0048| 0x7fffffffdba0 --> 0xd164b8 --> 0x31 ('1') 0056| 0x7fffffffdba8 --> 0x7fffffffe0e0 --> 0xd16400 --> 0xd05670 --> 0xce8410 --> 0x48de90 (<Plane::set(unsigned long, unsigned long, int)>: lea rsp,[rsp-0x98]) [------------------------------------------------------------------------------] blue Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x000000000054d222 in TransformPaletteC::process (this=, srcRanges=0xd16840, images=std::vector of length 1, capacity 1 = {...}) at transform/palette_C.hpp:130 130 for (unsigned int i=0; i<CPalette_vector[p].size(); i++) CPalette_inv_vector[p][CPalette_vector[p][i]]=i;

[fouzhe]

Could you please attach the input file and tell me the FLIF version?

[hongxuchen]

The PoC file we found: palette_C.hpp:130.txt

[EnchantedJohn]

@fouzhe FLIF' version is FLIF (Free Lossless Image Format) 0.3 [28 April 2017]

[fgeek]

Also reproduced in aad2083c2508902f971b7a2aa2564eac2dbc6e3f and minimized with afl-tmin.

python3 -c "print ('P6\n5\n5050\n5050')" > flif-issue-506.txt
./flif --overwrite flif-issue-506.txt out.png

==19477==ERROR: AddressSanitizer: SEGV on unknown address 0x62a00002bffc (pc 0x5628a8616494 bp 0x7fffc813bca0 sp 0x7fffc813bac0 T0)
    #0 0x5628a8616493 in TransformPaletteC<FileIO>::process(ColorRanges const*, std::vector<Image, std::allocator<Image> > const&) transform/palette_C.hpp:130
    #1 0x5628a8759020 in bool flif_encode<FileIO>(FileIO&, std::vector<Image, std::allocator<Image> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, flif_options&) ./src/flif-enc.cpp:914
    #2 0x5628a8519f74 in encode_flif(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) ./src/flif.cpp:344
    #3 0x5628a84896de in main ./src/flif.cpp:763
    #4 0x7f78430d62e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x5628a850bfa9 in _start (./src/flif+0xa1fa9)