We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4620 - null-pointer-dereference IMG_LoadPCX_RW@IMG_pcx.c:178-24
Summary: null-pointer-dereference IMG_LoadPCX_RW@IMG_pcx.c:178-24
Status: RESOLVED FIXED
Alias: None
Product: SDL_image
Classification: Unclassified
Component: misc (show other bugs)
Version: 2.0.4
Hardware: x86_64 Linux
: P2 normal
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-05 03:00 UTC by pwd
Modified: 2019-06-10 22:26 UTC (History)
0 users

See Also:

Attachments
poc (240 bytes, application/gzip)
2019-05-05 03:00 UTC, pwd 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description pwd 2019-05-05 03:00:32 UTC 
Created attachment 3774 [details]
poc

## IMG_LoadPCX_RW@IMG_pcx.c:178-24___SEGV_UNKNOW

### description

    An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4 , There is a null-pointer-dereference in function IMG_LoadPCX_RW at IMG_pcx.c:178-24

### commandline

    loadtif  @@ 

### source

```c
 174                         }
 175                     } else
 176                         count = 1;
 177                 }
> 178                 dst[i] = ch;
 179                 count--;
 180             }
 181         }
 182 
 183         if(src_bits <= 4) {

// loadtif.c
// #include <stdio.h>
// #include <SDL.h>
// #include <SDL_image.h>
//
// int main(int argc, char * argv[]){
//         IMG_Init(IMG_INIT_TIF);//IMG_INIT_JPG);IMG_INIT_PNG
//         while(__AFL_LOOP(1000)){
//               SDL_Surface * image = IMG_Load(argv[1]);
//               if (image){
//                 SDL_FreeSurface(image);
//               }
//         }
//         IMG_Quit();
// }
```

### bug report

```txt
ASAN:DEADLYSIGNAL
=================================================================
==13991==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd7bb11fabf bp 0x7ffe60cd2650 sp 0x7ffe60cd23e0 T0)
    #0 0x7fd7bb11fabe in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:178:24
    #1 0x7fd7bb10e9bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    #2 0x7fd7bb10df41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    #3 0x4ea0f0 in main /src/loadtif.c:8:37
    #4 0x7fd7b9c1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x4189e8 in _start (/src/aflbuild/installed/bin/loadtif+0x4189e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/SDL2_image-2.0.4/IMG_pcx.c:178:24 in IMG_LoadPCX_RW
==13991==ABORTING

```

### others

    from fuzz project pwd-libsdl2-loadtif-00
    crash name pwd-libsdl2-loadtif-00-00000004-20190419.tif
    Auto-generated by pyspider at 2019-04-19 00:07:04
Comment 1 Sam Lantinga 2019-06-10 22:26:56 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb