You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reported in version: HG 2.1 Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-07 23:16:54 +0000, Radue wrote:
A heap-buffer overflow vulnerability was discovered in SDL-1.2.15 library.
Asan report:
=================================================================
==22885==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200006b7c8 at pc 0x7ff12191f442 bp 0x7ffc642d4e90 sp 0x7ffc642d4e88
READ of size 1 at 0x60200006b7c8 thread T0
# 0 0x7ff12191f441 in SDL_GetRGB /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_pixels.c:416:8
# 1 0x7ff12192d2fa in SDL_ConvertSurface /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_surface.c:877:4
# 2 0x7ff121932a40 in SDL_DisplayFormat /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_video.c:946:9
# 3 0x4dba11 in LoadSprite /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite.c:41:9
# 4 0x4dbc8f in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite.c:98:7
# 5 0x7ff12060682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 6 0x435528 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x435528)
0x60200006b7c8 is located 8 bytes to the left of 16-byte region [0x60200006b7d0,0x60200006b7e0)
freed by thread T0 here:
# 0 0x4bc212 in __interceptor_free (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x4bc212)
# 1 0x7ff1203c8dc7 (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xadc7)
previously allocated by thread T0 here:
# 0 0x4bc4f2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/testsprite+0x4bc4f2)
# 1 0x7ff1203ca2aa (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc2aa)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/video/SDL_pixels.c:416 SDL_GetRGB
Shadow bytes around the buggy address:
0x0c04800056a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800056b0: fa fa 00 00 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c04800056c0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c04800056d0: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800056e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c04800056f0: fa fa fd fd fa fa fd fd fa[fa]fd fd fa fa fd fd
0x0c0480005700: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480005710: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480005720: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480005730: fa fa fd fd fa fa 00 fa fa fa 00 00 fa fa fd fd
0x0c0480005740: fa fa fd fd fa fa fd fd fa fa 07 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22885==ABORTING
On 2019-02-08 08:38:46 +0000, Radue wrote:
Created attachment 3605
PoC
On 2019-02-08 08:39:29 +0000, Radue wrote:
PoC: See attachment
Reproducing steps:
Download SDL-1.2.15 library
./configure with Asan enabled
./make
sudo make install
cd examples
./configure with Asan enabled
make
./testsprite PoC
On 2019-02-10 14:57:33 +0000, Radue wrote:
Assigned CVE-2019-7636 by MITRE.
On 2019-02-18 13:49:32 +0000, Petr Pisar wrote:
This POC BMP image has invalid number of colors (biClrUsed=3, biBitCount=0). In my case this results into invalid write when parsing the BMP file:
==7124== Invalid write of size 1
==7124== at 0x483F7B3: memmove (vg_replace_strmem.c:1271)
==7124== by 0x4AE06EA: _IO_file_xsgetn (in /usr/lib64/libc-2.29.so)
==7124== by 0x4AD4FE6: fread (in /usr/lib64/libc-2.29.so)
==7124== by 0x4859F70: stdio_read (SDL_rwops.c:336)
==7124== by 0x487EAF1: SDL_LoadBMP_RW (SDL_bmp.c:246)
==7124== by 0x401359: LoadSprite (testsprite.c:36)
==7124== by 0x401B25: main (testsprite.c:224)
In case of the original report, SDL_GetRGB() function reads from
fmt->palette->colors[] array that is badly allocated because of the invalid number of colors.
A fix for this issue is covered by patch for bug # 4500.
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: HG 2.1
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-07 23:16:54 +0000, Radue wrote:
On 2019-02-08 08:38:46 +0000, Radue wrote:
On 2019-02-08 08:39:29 +0000, Radue wrote:
On 2019-02-10 14:57:33 +0000, Radue wrote:
On 2019-02-18 13:49:32 +0000, Petr Pisar wrote:
On 2019-02-18 15:53:08 +0000, Sam Lantinga wrote:
The text was updated successfully, but these errors were encountered: