We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3881 - Fuzzing crashes for SDL_LoadBMP
Summary: Fuzzing crashes for SDL_LoadBMP
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: video (show other bugs)
Version: HG 2.0
Hardware: x86 Other
: P2 normal
Assignee: Ryan C. Gordon
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-14 15:06 UTC by Ryan C. Gordon
Modified: 2018-01-29 19:19 UTC (History)
0 users

See Also:

Attachments
Archive of test cases. (119.37 KB, application/zip)
2017-10-14 15:06 UTC, Ryan C. Gordon 		Details
Test program to reproduce crashes. (435 bytes, text/plain)
2017-10-14 15:09 UTC, Ryan C. Gordon 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan C. Gordon 2017-10-14 15:06:45 UTC 
Created attachment 2984 [details]
Archive of test cases.

Here's a zipfile of data that crashes SDL_LoadBMP. These are likely not valid bitmap files, but just carefully crafted binary data that convinces SDL_LoadBMP to overflow buffers, etc, instead of merely returning an error.

This data was generated by American Fuzzy Lop (AFL), a fuzzer that makes finding these sort of bugs pretty easy.

http://lcamtuf.coredump.cx/afl/

--ryan.
Comment 1 Ryan C. Gordon 2017-10-14 15:09:30 UTC 
Created attachment 2985 [details]
Test program to reproduce crashes.


Here's the test program AFL was using. You could just run it like:

for f in SDL-loadbmp-fuzzing-crashes/* ; do ./testbmp $f ; done

To see every crash.

Easy to compile: gcc -g -o testbmp testbmp.c `sdl2-config --cflags --libs`
Comment 2 Ryan C. Gordon 2018-01-28 05:22:00 UTC 
Literally every one of these crashes was fixed by https://hg.libsdl.org/SDL/rev/81a4950907a0, heh

--ryan.
Comment 3 Sam Lantinga 2018-01-29 19:19:57 UTC 
Awesome!