We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3881

Summary: Fuzzing crashes for SDL_LoadBMP
Product: SDL Reporter: Ryan C. Gordon <icculus>
Component: videoAssignee: Ryan C. Gordon <icculus>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2    
Version: HG 2.0   
Hardware: x86   
OS: Other   
See Also: https://bugzilla.libsdl.org/show_bug.cgi?id=3894
Attachments: Archive of test cases.
Test program to reproduce crashes.

Description Ryan C. Gordon 2017-10-14 15:06:45 UTC 
Created attachment 2984 [details]
Archive of test cases.

Here's a zipfile of data that crashes SDL_LoadBMP. These are likely not valid bitmap files, but just carefully crafted binary data that convinces SDL_LoadBMP to overflow buffers, etc, instead of merely returning an error.

This data was generated by American Fuzzy Lop (AFL), a fuzzer that makes finding these sort of bugs pretty easy.

http://lcamtuf.coredump.cx/afl/

--ryan.
Comment 1 Ryan C. Gordon 2017-10-14 15:09:30 UTC 
Created attachment 2985 [details]
Test program to reproduce crashes.


Here's the test program AFL was using. You could just run it like:

for f in SDL-loadbmp-fuzzing-crashes/* ; do ./testbmp $f ; done

To see every crash.

Easy to compile: gcc -g -o testbmp testbmp.c `sdl2-config --cflags --libs`
Comment 2 Ryan C. Gordon 2018-01-28 05:22:00 UTC 
Literally every one of these crashes was fixed by https://hg.libsdl.org/SDL/rev/81a4950907a0, heh

--ryan.
Comment 3 Sam Lantinga 2018-01-29 19:19:57 UTC 
Awesome!