We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
These attachments are available in the static archive:
Reported in version: 2.0.4 Reported for operating system, platform: Linux, x86_64
On 2019-05-09 06:39:31 +0000, pwd wrote:
Created attachment 3777 poc libsdl2 version libsdl2 2.0.9 others please send email to teamseri0us360@gmail.com if you have any questions. SDL_SetError_REAL @ SDL_error.c:65-18___SEGV_UNKNOW description An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an invalid free error in function SDL_SetError_REAL at SDL_error.c:65-18 commandline loadjpg @@ source 61 if (fmt == NULL) return -1; 62 63 /* Copy in the key, mark error as valid */ 64 error = SDL_GetErrBuf(); > 65 error->error =1; 66 SDL_strlcpy((char *) error->key, fmt, sizeof(error->key)); 67 68 va_start(ap, fmt); 69 error->argc = 0; 70 while (*fmt) { // ./loadjpg_g /work/pwd-libsdl2-loadjpg-00/vuln/vuln/SDL_SetError_REAL\@SDL_error.c\:65-18___SEGV_UNKNOW // *** Error in `./loadjpg_g': free(): invalid next size (fast): 0x00000000019377b0 *** // ======= Backtrace: ========= // /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f81fd0757e5] // /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f81fd07e37a] // /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f81fd08253c] // /src/libsdl2/installed-debug/lib/libSDL2-2.0.so.0(+0x5fa1c)[0x7f81fd427a1c] // /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadPCX_RW+0x638)[0x7f81fd6dd7d8] // /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadTyped_RW+0x150)[0x7f81fd6d9d00] // ./loadjpg_g[0x4007e2] // /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f81fd01e830] // ./loadjpg_g[0x4006d9] // ======= Memory map: ======== // 00400000-00401000 r-xp 00000000 00:27 4750 /src/loadjpg_g // 00600000-00601000 r--p 00000000 00:27 4750 /src/loadjpg_g // 00601000-00602000 rw-p 00001000 00:27 4750 /src/loadjpg_g bug report ASAN:DEADLYSIGNAL ================================================================= ==8792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4862d2f32f bp 0x7ffd94dc6270 sp 0x7ffd94dc5c20 T0) # 0 0x7f4862d2f32e in SDL_SetError_REAL /src/libsdl2/src/SDL_error.c:65:18 # 1 0x7f4862d315a1 in SDL_Error_REAL /src/libsdl2/src/SDL_error.c:172:16 # 2 0x7f4862d9d0c2 in stdio_read /src/libsdl2/src/file/SDL_rwops.c:387:9 # 3 0x7f4863301b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17 # 4 0x7f48632f09bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 5 0x7f48632eff41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 6 0x4ea140 in main /src/loadjpg.c:8:37 # 7 0x7f4861df682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 8 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/SDL_error.c:65:18 in SDL_SetError_REAL ==8792==ABORTING others from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000023-20190419.jpg Auto-generated by pyspider at 2019-04-19 03:02:22
Created attachment 3777 poc
libsdl2 2.0.9
please send email to teamseri0us360@gmail.com if you have any questions.
An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an invalid free error in function SDL_SetError_REAL at SDL_error.c:65-18
loadjpg @@
61 if (fmt == NULL) return -1; 62 63 /* Copy in the key, mark error as valid */ 64 error = SDL_GetErrBuf(); > 65 error->error =1; 66 SDL_strlcpy((char *) error->key, fmt, sizeof(error->key)); 67 68 va_start(ap, fmt); 69 error->argc = 0; 70 while (*fmt) { // ./loadjpg_g /work/pwd-libsdl2-loadjpg-00/vuln/vuln/SDL_SetError_REAL\@SDL_error.c\:65-18___SEGV_UNKNOW // *** Error in `./loadjpg_g': free(): invalid next size (fast): 0x00000000019377b0 *** // ======= Backtrace: ========= // /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f81fd0757e5] // /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f81fd07e37a] // /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f81fd08253c] // /src/libsdl2/installed-debug/lib/libSDL2-2.0.so.0(+0x5fa1c)[0x7f81fd427a1c] // /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadPCX_RW+0x638)[0x7f81fd6dd7d8] // /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadTyped_RW+0x150)[0x7f81fd6d9d00] // ./loadjpg_g[0x4007e2] // /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f81fd01e830] // ./loadjpg_g[0x4006d9] // ======= Memory map: ======== // 00400000-00401000 r-xp 00000000 00:27 4750 /src/loadjpg_g // 00600000-00601000 r--p 00000000 00:27 4750 /src/loadjpg_g // 00601000-00602000 rw-p 00001000 00:27 4750 /src/loadjpg_g
ASAN:DEADLYSIGNAL ================================================================= ==8792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4862d2f32f bp 0x7ffd94dc6270 sp 0x7ffd94dc5c20 T0) # 0 0x7f4862d2f32e in SDL_SetError_REAL /src/libsdl2/src/SDL_error.c:65:18 # 1 0x7f4862d315a1 in SDL_Error_REAL /src/libsdl2/src/SDL_error.c:172:16 # 2 0x7f4862d9d0c2 in stdio_read /src/libsdl2/src/file/SDL_rwops.c:387:9 # 3 0x7f4863301b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17 # 4 0x7f48632f09bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 5 0x7f48632eff41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 6 0x4ea140 in main /src/loadjpg.c:8:37 # 7 0x7f4861df682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 8 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/SDL_error.c:65:18 in SDL_SetError_REAL ==8792==ABORTING
from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000023-20190419.jpg Auto-generated by pyspider at 2019-04-19 03:02:22
On 2019-05-28 15:00:38 +0000, Hugo Lefeuvre wrote:
This issue was assigned CVE-2019-12219. I can also confirm that the bug is located in SDL_image. This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value). Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4621.
This issue was assigned CVE-2019-12219.
I can also confirm that the bug is located in SDL_image.
This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).
Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4621.
On 2019-06-10 23:22:35 +0000, Sam Lantinga wrote:
This is fixed, thanks!
The text was updated successfully, but these errors were encountered:
No branches or pull requests
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-09 06:39:31 +0000, pwd wrote:
On 2019-05-28 15:00:38 +0000, Hugo Lefeuvre wrote:
On 2019-06-10 23:22:35 +0000, Sam Lantinga wrote:
The text was updated successfully, but these errors were encountered: