Describe the bug
If the project is compiled for 64-bit system, and the configure flag --disable-imlib2 was given. Then the pointer returned from _caca_alloc2d() call in load_image() at common-image.c is truncated to 32-bit with sign extension, later causing a SEGV writing to an invalid memory area.
export CONF_FLAGS="--disable-imlib2 --disable-shared"
export CFLAGS="-g -fPIE"
export CXFLAGS=${CFLAGS}
export CC=gcc-10
export CXX=g++-10
./bootstrap
./configure ${CONF_FLAGS}
make clean
make
run command: ./src/img2txt POC
Output
Segmentation fault (core dumped)
GDB screenshot
(gdb) b load_image
Breakpoint 1 at 0x7180: file common-image.c, line 35.
(gdb) r
Starting program: ./img2txt POC
Breakpoint 1, load_image (name=0x7fffffffe771 "POC")
at common-image.c:35
35 {
(gdb) b _caca_alloc2d
Breakpoint 2 at 0x55555555bff0: file caca.c, line 288.
(gdb) c
Continuing.
Breakpoint 2, _caca_alloc2d (width=1, height=59968, elem_size=32) at caca.c:288
288 {
(gdb) finish
Run till exit from #0 _caca_alloc2d (width=1, height=59968, elem_size=32) at caca.c:288
0x000055555555b563 in load_image (name=) at common-image.c:164
164 im->pixels = _caca_alloc2d(im->w, im->h, depth);
Value returned is $1 = (void *) 0x7ffff6ef6010
(gdb) x/2i $rip
=> 0x55555555b563 <load_image+995>: movslq %eax,%rdi <------------ [0] here wrong conversion
0x55555555b566 <load_image+998>: mov %rdi,(%r14)
(gdb) p/x $rax
$2 = 0x7ffff6ef6010
(gdb) p/x $rdi
$3 = 0x0
(gdb) si
0x000055555555b566 164 im->pixels = _caca_alloc2d(im->w, im->h, depth);
(gdb) p/x $rax
$4 = 0x7ffff6ef6010
(gdb) p/x $rdi <------------ [1]
$5 = 0xfffffffff6ef6010
(gdb) b memset
Breakpoint 3 at 0x55555555b57a: memset. (2 locations)
(gdb) c
Continuing.
Breakpoint 3, 0x000055555555b57a in memset (len=, ch=, dest=) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
71 return builtin_memset_chk (dest, ch, len, bos0 (dest));
(gdb) p/x $rdi
$6 = 0xfffffffff6ef6010
(gdb) x/x $rdi
0xfffffffff6ef6010: Cannot access memory at address 0xfffffffff6ef6010
(gdb) c
Continuing.
Breakpoint 3, __memset_avx2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:167
167 ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: No such file or directory.
(gdb)
Describe the bug If the project is compiled for 64-bit system, and the configure flag
--disable-imlib2was given. Then the pointer returned from _caca_alloc2d() call in load_image() at common-image.c is truncated to 32-bit with sign extension, later causing a SEGV writing to an invalid memory area.https://github.com/cacalabs/libcaca/blob/f42aa68fc798db63b7b2a789ae8cf5b90b57b752/src/common-image.c#L163-L173
System info:
Steps to reproduce the behavior
compile
run command:
./src/img2txt POCOutput
Breakpoint 1, load_image (name=0x7fffffffe771 "POC") at common-image.c:35 35 {
(gdb) b _caca_alloc2d Breakpoint 2 at 0x55555555bff0: file caca.c, line 288. (gdb) c Continuing.
Breakpoint 2, _caca_alloc2d (width=1, height=59968, elem_size=32) at caca.c:288 288 { (gdb) finish Run till exit from #0 _caca_alloc2d (width=1, height=59968, elem_size=32) at caca.c:288 0x000055555555b563 in load_image (name=) at common-image.c:164
164 im->pixels = _caca_alloc2d(im->w, im->h, depth);
Value returned is $1 = (void *) 0x7ffff6ef6010
(gdb) x/2i $rip
=> 0x55555555b563 <load_image+995>: movslq %eax,%rdi <------------ [0] here wrong conversion
0x55555555b566 <load_image+998>: mov %rdi,(%r14)
(gdb) p/x $rax
$2 = 0x7ffff6ef6010
(gdb) p/x $rdi
$3 = 0x0
(gdb) si
0x000055555555b566 164 im->pixels = _caca_alloc2d(im->w, im->h, depth);
(gdb) p/x $rax
$4 = 0x7ffff6ef6010
(gdb) p/x $rdi <------------ [1]
$5 = 0xfffffffff6ef6010
(gdb) b memset Breakpoint 3 at 0x55555555b57a: memset. (2 locations) (gdb) c Continuing.
Breakpoint 3, 0x000055555555b57a in memset (len=, ch=, dest=) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
71 return builtin_memset_chk (dest, ch, len, bos0 (dest));
(gdb) p/x $rdi
$6 = 0xfffffffff6ef6010
(gdb) x/x $rdi
0xfffffffff6ef6010: Cannot access memory at address 0xfffffffff6ef6010
(gdb) c
Continuing.
Breakpoint 3, __memset_avx2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:167 167 ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: No such file or directory. (gdb)