search

pts / sam2p

raster (bitmap) image converter with smart PDF and PostScript (EPS) output
http://pts.50.hu/sam2p/
GNU General Public License v2.0
42 stars 15 forks source link

invalid free in Mapping::DoubleHash::clear (in mapping.cpp:197) #30

Closed fantasy7082 closed 6 years ago

fantasy7082 commented 6 years ago

There is an invalid free in Mapping::DoubleHash::clear that leads to a Segmentation fault at sam2p 0.49.4. A crafted input will lead to denial of service attack. Steps to Reproduce:

./sam2p 017-freenomalloc-mapping EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Notice: job: read InputFile: 017-freenomalloc-mapping
sam2p: Notice: writeTTT: using template: l23ind1
sam2p: Notice: applyProfile: applied OutputRule #9 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
=================================================================
==20959==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x6020000082f0 in thread T0
    #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x431348 in Mapping::DoubleHash::clear() /root/sam2p_ASAN2/sam2p/mapping.cpp:197
    #2 0x43150e in Mapping::DoubleHash15::~DoubleHash15() /root/sam2p_ASAN2/sam2p/mapping.cpp:305
    #3 0x431558 in Mapping::DoubleHash15::~DoubleHash15() /root/sam2p_ASAN2/sam2p/mapping.cpp:307
    #4 0x43f7ac in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:454
    #5 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
    #6 0x43f9d8 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.hpp:223
    #7 0x43f9d8 in MiniPS::Array::free() /root/sam2p_ASAN2/sam2p/minips.cpp:376
    #8 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
    #9 0x43f6ff in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:451
    #10 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
    #11 0x4043e6 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1103
    #12 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
    #13 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==20959==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/017-freenomalloc-mapping

pts commented 6 years ago

Thank you for reporting this! I'm not able to reproduce this bug as of a6621e996f976912252018be8a8836ee6a966ee3. Valgrind doesn't print any errors:

==6510== 
==6510== HEAP SUMMARY:
==6510==     in use at exit: 0 bytes in 0 blocks
==6510==   total heap usage: 2,980 allocs, 2,980 frees, 372,737 bytes allocated
==6510== 
==6510== All heap blocks were freed -- no leaks are possible
==6510== 
==6510== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
--6510-- 
--6510-- used_suppression:      2 glibc-2.5.x-on-SUSE-10.2-(PPC)-2a
==6510== 
==6510== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)

If you can reproduce this bug with the latest sam2p commit and Valgrind, please reopen this issue.