search

pts / sam2p

raster (bitmap) image converter with smart PDF and PostScript (EPS) output
http://pts.50.hu/sam2p/
GNU General Public License v2.0
42 stars 16 forks source link

Negative-size-param memset in LoadPCX (in in_pcx.cpp:252) #31

Closed fantasy7082 closed 6 years ago

fantasy7082 commented 6 years ago

The LoadPCX function in in_pcx.cpp in the sam2p 0.49.4 does not ensure a non-negative size, which allows attackers to cause a denial of service (application crash) via a crafted file. Steps to Reproduce:

./sam2p 004-negative-size-param-loadpcx EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Warning: PCX: PCX file appears to be truncated.
=================================================================
==20965==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x7ffff6ef69a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
    #1 0x431f4d in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x431f4d in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:252
    #3 0x431f4d in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533
    #4 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
    #5 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
    #6 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
    #7 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)

Address 0x7fffffffd7d0 is located in stack of thread T0 at offset 48 in frame
    #0 0x4319ef in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:531

  This frame has 1 object(s):
    [32, 160) 'hdr' <== Memory access at offset 48 partially overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==20965==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/004-negative-size-param-loadpcx

pts commented 6 years ago

Thank you for reporting this! Fixed in 4aa27783d1e95fb0d65144a8a8f91104d1bdbe58.

pts commented 6 years ago

Thank you for reporting this! Fixed in 4aa27783d1e95fb0d65144a8a8f91104d1bdbe58.