We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4619

Summary:	heap-buffer-overflow in IMG_LoadPCX_RW@IMG_pcx.c:178-24
Product:	SDL_image	Reporter:	pwd <teamseri0us360>
Component:	misc	Assignee:	Sam Lantinga <slouken>
Status:	RESOLVED FIXED	QA Contact:	Sam Lantinga <slouken>
Severity:	normal
Priority:	P2
Version:	2.0.4
Hardware:	x86_64
OS:	Linux
Attachments:	poc

Description pwd 2019-05-05 02:56:52 UTC

Created attachment 3773 [details]
poc

## IMG_LoadPCX_RW@IMG_pcx.c:178-24___heap-buffer-overflow

### description

    An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is a heap-buffer-overflow in function IMG_LoadPCX_RW at IMG_pcx.c:178-24

### commandline

    loadtif  @@ 

### source

```c
 174                         }
 175                     } else
 176                         count = 1;
 177                 }
> 178                 dst[i] = ch;
 179                 count--;
 180             }
 181         }
 182 
 183         if(src_bits <= 4) {

// loadtif.c
// #include <stdio.h>
// #include <SDL.h>
// #include <SDL_image.h>
//
// int main(int argc, char * argv[]){
//         IMG_Init(IMG_INIT_TIF);//IMG_INIT_JPG);IMG_INIT_PNG
//         while(__AFL_LOOP(1000)){
//               SDL_Surface * image = IMG_Load(argv[1]);
//               if (image){
//                 SDL_FreeSurface(image);
//               }
//         }
//         IMG_Quit();
// }
```

### bug report

```txt
=================================================================
==13979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x7fcdecb76a15 bp 0x7ffddb89ab30 sp 0x7ffddb89ab28
WRITE of size 1 at 0x60200000eff4 thread T0
    #0 0x7fcdecb76a14 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:178:24
    #1 0x7fcdecb639bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    #2 0x7fcdecb62f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    #3 0x4ea0f0 in main /src/loadtif.c:8:37
    #4 0x7fcdeb66982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x4189e8 in _start (/src/aflbuild/installed/bin/loadtif+0x4189e8)

0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
allocated by thread T0 here:
    #0 0x4b8b18 in malloc (/src/aflbuild/installed/bin/loadtif+0x4b8b18)
    #1 0x7fcdec6de868 in SDL_malloc_REAL /src/libsdl2/src/stdlib/SDL_malloc.c:5328:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/SDL2_image-2.0.4/IMG_pcx.c:178:24 in IMG_LoadPCX_RW
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13979==ABORTING

```

### others

    from fuzz project pwd-libsdl2-loadtif-00
    crash name pwd-libsdl2-loadtif-00-00000000-20190418.tif
    Auto-generated by pyspider at 2019-04-19 00:07:03

Comment 1 Sam Lantinga 2019-06-10 22:21:50 UTC

Fixed, thanks!
https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4619

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.