search

pts / sam2p

raster (bitmap) image converter with smart PDF and PostScript (EPS) output
http://pts.50.hu/sam2p/
GNU General Public License v2.0
42 stars 15 forks source link

heap buffer overflow in in_pcx.cpp:403 #52

Closed puppet-meteor closed 5 years ago

puppet-meteor commented 5 years ago

There is a heap buffer overflow in in_pcx.cpp:403 at sam2p 0.49.4. A crafted input will lead to denial of service attack.

Steps to Reproduce:

./sam2p POC_1 EPS: /dev/null

POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/POC_1

Information from addresssanitizer:

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
AAA3
=================================================================
==6296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000018e26 at pc 0x000000434caf bp 0x7ffeb493f4c0 sp 0x7ffeb493f4b0
WRITE of size 1 at 0x611000018e26 thread T0
    #0 0x434cae in pcxLoadImage24 /home/puppet/target/sam2p-gdb/in_pcx.cpp:403
    #1 0x434cae in LoadPCX /home/puppet/target/sam2p-gdb/in_pcx.cpp:214
    #2 0x434cae in in_pcx_reader /home/puppet/target/sam2p-gdb/in_pcx.cpp:532
    #3 0x478f1b in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/puppet/target/sam2p-gdb/image.cpp:1427
    #4 0x403a96 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1024
    #5 0x40264f in main /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1117
    #6 0x7f960304382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x402f98 in _start (/usr/local/bin/sam2p+0x402f98)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puppet/target/sam2p-gdb/in_pcx.cpp:403 pcxLoadImage24
Shadow bytes around the buggy address:
  0x0c227fffb170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fffb1c0: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffb1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fffb1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
  0x0c227fffb200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fffb210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==6296==ABORTING

a SEGV has the same execution paths.

Steps to Reproduce:

./sam2p 68.jpg EPS: /dev/null

POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/68.jpg

Information from addresssanitizer:

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
AAA3
ASAN:SIGSEGV
=================================================================
==3128==ERROR: AddressSanitizer: SEGV on unknown address 0x630ffffffea4 (pc 0x000000434a1e bp 0x7ffe51967910 sp 0x7ffe51967740 T0)
    #0 0x434a1d in pcxLoadImage24 /home/puppet/target/sam2p-gdb/in_pcx.cpp:403
    #1 0x434a1d in LoadPCX /home/puppet/target/sam2p-gdb/in_pcx.cpp:214
    #2 0x434a1d in in_pcx_reader /home/puppet/target/sam2p-gdb/in_pcx.cpp:532
    #3 0x478f1b in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/puppet/target/sam2p-gdb/image.cpp:1427
    #4 0x403a96 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1024
    #5 0x40264f in main /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1117
    #6 0x7f0b1349a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x402f98 in _start (/usr/local/bin/sam2p+0x402f98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/puppet/target/sam2p-gdb/in_pcx.cpp:403 pcxLoadImage24
==3128==ABORTING

found by liyuwei@zju.edu.cn from NESA Lab in Zhejiang University.

pts commented 5 years ago

Thank you for reporting this! I'm not able to reproduce this bug with the latest sam2p HEAD (d2656beef486c55b53ae0d7e395d6610cc8ee744), so I'm closing this issue now. Feel free to report more issues, but please check that you have d2656beef486c55b53ae0d7e395d6610cc8ee744 or later checked out.

$ ./sam2p.asan POC_1 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Warning: PCX: Image data truncated.
sam2p: Warning: PCX: PCX file appears to be truncated.
sam2p: Notice: job: read InputFile: POC_1
sam2p: Notice: writeTTT: using template: l23
sam2p: Notice: applyProfile: applied OutputRule #37 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
Success.