We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4625

Summary: invalid free error in function SDL_SetError_REAL
Product: SDL_image Reporter: pwd <teamseri0us360>
Component: miscAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2 CC: hle
Version: 2.0.4   
Hardware: x86_64   
OS: Linux   
Attachments: poc

Description pwd 2019-05-09 06:39:31 UTC 
Created attachment 3777 [details]
poc

# libsdl2

## version

    libsdl2 2.0.9

## others

    please send email to  teamseri0us360@gmail.com if you have any questions.

---------------------

## SDL_SetError_REAL@SDL_error.c:65-18___SEGV_UNKNOW

### description

    An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an invalid free error in function SDL_SetError_REAL at SDL_error.c:65-18

### commandline

    loadjpg  @@ 

### source

```c
  61     if (fmt == NULL) return -1;
  62 
  63     /* Copy in the key, mark error as valid */
  64     error = SDL_GetErrBuf();
>  65     error->error =1;
  66     SDL_strlcpy((char *) error->key, fmt, sizeof(error->key));
  67 
  68     va_start(ap, fmt);
  69     error->argc = 0;
  70     while (*fmt) {

// ./loadjpg_g /work/pwd-libsdl2-loadjpg-00/vuln/vuln/SDL_SetError_REAL\@SDL_error.c\:65-18___SEGV_UNKNOW
// *** Error in `./loadjpg_g': free(): invalid next size (fast): 0x00000000019377b0 ***
// ======= Backtrace: =========
// /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f81fd0757e5]
// /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f81fd07e37a]
// /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f81fd08253c]
// /src/libsdl2/installed-debug/lib/libSDL2-2.0.so.0(+0x5fa1c)[0x7f81fd427a1c]
// /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadPCX_RW+0x638)[0x7f81fd6dd7d8]
// /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadTyped_RW+0x150)[0x7f81fd6d9d00]
// ./loadjpg_g[0x4007e2]
// /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f81fd01e830]
// ./loadjpg_g[0x4006d9]
// ======= Memory map: ========
// 00400000-00401000 r-xp 00000000 00:27 4750                               /src/loadjpg_g
// 00600000-00601000 r--p 00000000 00:27 4750                               /src/loadjpg_g
// 00601000-00602000 rw-p 00001000 00:27 4750                               /src/loadjpg_g
```

### bug report

```txt
ASAN:DEADLYSIGNAL
=================================================================
==8792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4862d2f32f bp 0x7ffd94dc6270 sp 0x7ffd94dc5c20 T0)
    #0 0x7f4862d2f32e in SDL_SetError_REAL /src/libsdl2/src/SDL_error.c:65:18
    #1 0x7f4862d315a1 in SDL_Error_REAL /src/libsdl2/src/SDL_error.c:172:16
    #2 0x7f4862d9d0c2 in stdio_read /src/libsdl2/src/file/SDL_rwops.c:387:9
    #3 0x7f4863301b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17
    #4 0x7f48632f09bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    #5 0x7f48632eff41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    #6 0x4ea140 in main /src/loadjpg.c:8:37
    #7 0x7f4861df682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/SDL_error.c:65:18 in SDL_SetError_REAL
==8792==ABORTING

```

### others

    from fuzz project pwd-libsdl2-loadjpg-00
    crash name pwd-libsdl2-loadjpg-00-00000023-20190419.jpg
    Auto-generated by pyspider at 2019-04-19 03:02:22
Comment 1 Hugo Lefeuvre 2019-05-28 15:00:38 UTC 
This issue was assigned CVE-2019-12219.

I can also confirm that the bug is located in SDL_image.

This issue is very similar to #4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).

Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4621.
Comment 2 Sam Lantinga 2019-06-10 23:22:35 UTC 
This is fixed, thanks!