Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap Buffer Overflow on SDL_FillRect pertaining to SDL_video #786

Closed
SDLBugzilla opened this issue Feb 10, 2021 · 0 comments
Closed

Heap Buffer Overflow on SDL_FillRect pertaining to SDL_video #786

SDLBugzilla opened this issue Feb 10, 2021 · 0 comments

Comments

@SDLBugzilla
Copy link
Collaborator

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

Reported in version: HG 1.2
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-02-07 13:46:27 +0000, Radue wrote:

PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

=================================================================
==25760==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f02111c5080 at pc 0x7f0216173b6a bp 0x7ffe2d19de10 sp 0x7ffe2d19de08
WRITE of size 4 at 0x7f02111c5080 thread T0
# 0 0x7f0216173b69 in SDL_FillRect /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610:5
# 1 0x7f0216178d3d in SDL_ClearSurface /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:507:2
# 2 0x7f0216178d3d in SDL_SetVideoMode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:729
# 3 0x4dcf68 in CreateScreen /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:112:11
# 4 0x4dd9d5 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin.c:192:11
# 5 0x7f0214e4e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 6 0x435588 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x435588)

0x7f02111c5080 is located 0 bytes to the right of 31455360-byte region [0x7f020f3c5800,0x7f02111c5080)
allocated by thread T0 here:
# 0 0x4bc552 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/graywin+0x4bc552)
# 1 0x7f02161ada7c in X11_SetupImage /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/x11/SDL_x11image.c:105:20

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:610 SDL_FillRect
Shadow bytes around the buggy address:
0x0fe0c22309c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c22309f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0c2230a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe0c2230a10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe0c2230a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25760==ABORTING

Reproducing steps:

  1. Download SDL-1.2.15 library
  2. ./configure with Asan enabled
  3. ./make
  4. sudo make install
  5. cd examples
  6. ./configure with Asan enabled
  7. make
  8. cd test
  9. ./graywin -width 21312312313123213213213

On 2019-02-10 14:58:42 +0000, Radue wrote:

Assigned CVE-2019-7637 by MITRE.

On 2019-02-18 11:13:55 +0000, Petr Pisar wrote:

Width value from "./graywin -width 21312312313123213213213" command is misinterpreted (atoi()) as -1 and then passed as Uint16 argument to CreateScreen() function. Since then the width has value 65535 and travels to SDL_CalculatePitch() where width (65535) is multiplied by BytesPerPixel (4) and the result is stored into Uint16 pitch. Here is the root cause because the pitch is clamped as 65532. As a result SDL_Surface with a pitch smaller than width * BytesPerPixel is created, too small pixel buffer is allocated and when the SDL_Surface is processed in SDL_FillRect a buffer overflow occurs.

On 2019-02-18 13:19:39 +0000, Petr Pisar wrote:

Created attachment 3630
Fix

On 2019-03-17 02:17:42 +0000, Sam Lantinga wrote:

Fixed, thanks!
https://hg.libsdl.org/SDL/rev/9b0e5c555c0f

On 2019-06-27 23:11:34 +0000, Anselmo L. S. Melo wrote:

According to the description of CVE-2019-7637, this issue also affects SDL2 <= 2.0.9. Is that accurate?

On 2019-07-01 06:41:52 +0000, Sam Lantinga wrote:

No, SDL 2.0 is not vulnerable, this was fixed here:
https://hg.libsdl.org/SDL/rev/81a4950907a0

On 2019-08-01 21:36:39 +0000, Ozkan Sezer wrote:

(In reply to Sam Lantinga from comment # 4)

Fixed, thanks!
https://hg.libsdl.org/SDL/rev/9b0e5c555c0f

This patch made copy+paste mistakes which resulted in
windows versions failing to set video mode. Fixed now:
https://hg.libsdl.org/SDL/rev/32075e9e2135
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SDLBugzilla