./sam2p 009-heap EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
=================================================================
==20994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000017a21 at pc 0x000000432a06 bp 0x7fffffffd6f0 sp 0x7fffffffd6e0
WRITE of size 1 at 0x62a000017a21 thread T0
#0 0x432a05 in pcxLoadRaster /root/sam2p_ASAN2/sam2p/in_pcx.cpp:496
#1 0x432a05 in pcxLoadImage8 /root/sam2p_ASAN2/sam2p/in_pcx.cpp:335
#2 0x432a05 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:209
#3 0x432a05 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533
#4 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
#5 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
#6 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
#7 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
0x62a000017a21 is located 0 bytes to the right of 22561-byte region [0x62a000012200,0x62a000017a21)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35
#2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/in_pcx.cpp:496 pcxLoadRaster
Shadow bytes around the buggy address:
0x0c547fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffaf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fffaf40: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffaf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20994==ABORTING
Hi, i found a heap-buffer-overflow vulnerability in the sam2p 0.49.4. reason: https://github.com/pts/sam2p/blob/97e764bf8e9b26ff0d1b97f80073a463b2eedcd0/in_pcx.cpp#L473
https://github.com/pts/sam2p/blob/97e764bf8e9b26ff0d1b97f80073a463b2eedcd0/in_pcx.cpp#L496 The crash happened in the pcxLoadRaster function of the file in_pcx.cpp in line 496. the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/009-heap