Closed puppet-meteor closed 5 years ago
Thank you for reporting this! I'm not able to reproduce this bug with the latest sam2p HEAD (d2656beef486c55b53ae0d7e395d6610cc8ee744), so I'm closing this issue now. Feel free to report more issues, but please check that you have d2656beef486c55b53ae0d7e395d6610cc8ee744 or later checked out.
$ ./sam2p.asan POC_1 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p: Warning: PCX: Image data truncated.
sam2p: Warning: PCX: PCX file appears to be truncated.
sam2p: Notice: job: read InputFile: POC_1
sam2p: Notice: writeTTT: using template: l23
sam2p: Notice: applyProfile: applied OutputRule #37 using applier PSL23+PDF
sam2p: Notice: job: written OutputFile: /dev/null
Success.
There is a heap buffer overflow in in_pcx.cpp:403 at sam2p 0.49.4. A crafted input will lead to denial of service attack.
Steps to Reproduce:
./sam2p POC_1 EPS: /dev/null
POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/POC_1
Information from addresssanitizer:
a SEGV has the same execution paths.
Steps to Reproduce:
./sam2p 68.jpg EPS: /dev/null
POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/68.jpg
Information from addresssanitizer:
found by liyuwei@zju.edu.cn from NESA Lab in Zhejiang University.