search

pts / sam2p

raster (bitmap) image converter with smart PDF and PostScript (EPS) output
http://pts.50.hu/sam2p/
GNU General Public License v2.0
42 stars 15 forks source link

segmentation fault in image.cpp:162 #53

Closed puppet-meteor closed 5 years ago

puppet-meteor commented 5 years ago

There is a segmentation fault in image.cpp:162 at sam2p 0.49.4. A crafted input will lead to denial of service attack.

Steps to Reproduce:

./sam2p POC_2 EPS: /dev/null

POC File: https://github.com/puppet-meteor/sam2p_POC/blob/master/POC_2

Information from addresssanitizer:

This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
ASAN:SIGSEGV
=================================================================
==6388==ERROR: AddressSanitizer: SEGV on unknown address 0x601e00008291 (pc 0x7fe35e84ca55 bp 0x7ffe8287d090 sp 0x7ffe8287c818 T0)
    #0 0x7fe35e84ca54  (/lib/x86_64-linux-gnu/libc.so.6+0x172a54)
    #1 0x7fe35eb30b1e in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cb1e)
    #2 0x46dafe in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90
    #3 0x46dafe in Image::Sampled::init(unsigned long, unsigned long, unsigned int, unsigned int, unsigned char, unsigned char, unsigned char) /home/puppet/target/sam2p-gdb/image.cpp:162
    #4 0x4772c8 in Image::Gray::Gray(unsigned int, unsigned int, unsigned char) /home/puppet/target/sam2p-gdb/image.cpp:1121
    #5 0x4266ed in in_pnm_reader /home/puppet/target/sam2p-gdb/in_pnm.cpp:33
    #6 0x478f1b in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /home/puppet/target/sam2p-gdb/image.cpp:1427
    #7 0x403a96 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1024
    #8 0x40264f in main /home/puppet/target/sam2p-gdb/sam2p_main.cpp:1117
    #9 0x7fe35e6fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x402f98 in _start (/usr/local/bin/sam2p+0x402f98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==6388==ABORTING

found by liyuwei@zju.edu.cn from NESA Lab in Zhejiang University.

pts commented 5 years ago

Thank you for reporting this! I'm not able to reproduce this bug with the latest sam2p HEAD (d2656beef486c55b53ae0d7e395d6610cc8ee744), so I'm closing this issue now. Feel free to report more issues, but please check that you have d2656beef486c55b53ae0d7e395d6610cc8ee744 or later checked out.

The latest sam2p with AddressSanitizer behaves reasonably, indicating out-of-memory for a large image:

$ ./sam2p.asan POC_2 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
==33741==WARNING: AddressSanitizer failed to allocate 0xfffffffe00000001 bytes
==33741==AddressSanitizer's allocator is terminating the process instead of returning 0
==33741==If you don't like this behavior set allocator_may_return_null=1
==33741==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f56ed109325  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe4325)
    #1 0x7f56ed125e65 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x100e65)
    #2 0x7f56ed10dc02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe8c02)
    #3 0x7f56ed04dd48  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x28d48)
    #4 0x7f56ed1004bf in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdb4bf)
    #5 0x5631f0594698 in pnm_load_image(GenBuffer::Readable*) /usr/local/google/home/pts/prg/sam2p/input-pnm.ci:286
    #6 0x5631f0595c98 in in_pnm_reader /usr/local/google/home/pts/prg/sam2p/in_pnm.cpp:29
    #7 0x5631f0607565 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /usr/local/google/home/pts/prg/sam2p/image.cpp:1435
    #8 0x5631f0577fe4 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, unsigned char) /usr/local/google/home/pts/prg/sam2p/sam2p_main.cpp:1055
    #9 0x5631f0579630 in main /usr/local/google/home/pts/prg/sam2p/sam2p_main.cpp:1148
    #10 0x7f56ec4052b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #11 0x5631f056e0e9 in _start (/usr/local/google/home/pts/prg/sam2p/sam2p.asan+0x280e9)

The latest sam2p behaves reasonably, indicating out-of-memory for a large image:

$ ./sam2p POC_2 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
zsh: abort      ./sam2p POC_2 EPS: /dev/null

In 32-bit mode, it detects that the image is too large, and fails with an explicit error message:

$ ./sam2p.m32 POC_2 EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
sam2p.m32: Error: PNM: Image too large.