Closed puppet-meteor closed 5 years ago
Thank you for reporting this! I'm not able to reproduce this bug with the latest sam2p HEAD (d2656beef486c55b53ae0d7e395d6610cc8ee744), so I'm closing this issue now. Feel free to report more issues, but please check that you have d2656beef486c55b53ae0d7e395d6610cc8ee744 or later checked out.
The latest sam2p with AddressSanitizer behaves reasonably, indicating out-of-memory for a large image:
$ ./sam2p.asan POC_2 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
==33741==WARNING: AddressSanitizer failed to allocate 0xfffffffe00000001 bytes
==33741==AddressSanitizer's allocator is terminating the process instead of returning 0
==33741==If you don't like this behavior set allocator_may_return_null=1
==33741==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
#0 0x7f56ed109325 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe4325)
#1 0x7f56ed125e65 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x100e65)
#2 0x7f56ed10dc02 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe8c02)
#3 0x7f56ed04dd48 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x28d48)
#4 0x7f56ed1004bf in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdb4bf)
#5 0x5631f0594698 in pnm_load_image(GenBuffer::Readable*) /usr/local/google/home/pts/prg/sam2p/input-pnm.ci:286
#6 0x5631f0595c98 in in_pnm_reader /usr/local/google/home/pts/prg/sam2p/in_pnm.cpp:29
#7 0x5631f0607565 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /usr/local/google/home/pts/prg/sam2p/image.cpp:1435
#8 0x5631f0577fe4 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, unsigned char) /usr/local/google/home/pts/prg/sam2p/sam2p_main.cpp:1055
#9 0x5631f0579630 in main /usr/local/google/home/pts/prg/sam2p/sam2p_main.cpp:1148
#10 0x7f56ec4052b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#11 0x5631f056e0e9 in _start (/usr/local/google/home/pts/prg/sam2p/sam2p.asan+0x280e9)
The latest sam2p behaves reasonably, indicating out-of-memory for a large image:
$ ./sam2p POC_2 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
zsh: abort ./sam2p POC_2 EPS: /dev/null
In 32-bit mode, it detects that the image is too large, and fails with an explicit error message:
$ ./sam2p.m32 POC_2 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p.m32: Error: PNM: Image too large.
There is a segmentation fault in image.cpp:162 at sam2p 0.49.4. A crafted input will lead to denial of service attack.
Steps to Reproduce:
./sam2p POC_2 EPS: /dev/null
POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/POC_2
Information from addresssanitizer:
found by liyuwei@zju.edu.cn from NESA Lab in Zhejiang University.