This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

• poc (poc.tar.gz, application/gzip, 2019-05-09 06:39:31 +0000, 761 bytes)

Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-05-09 06:39:31 +0000, pwd wrote:

Created attachment 3777
poc

libsdl2

version

libsdl2 2.0.9

others

please send email to  teamseri0us360@gmail.com if you have any questions.

---

SDL_SetError_REAL @ SDL_error.c:65-18___SEGV_UNKNOW

description

An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an invalid free error in function SDL_SetError_REAL at SDL_error.c:65-18

commandline

loadjpg  @@ 

source

  61     if (fmt == NULL) return -1;
  62 
  63     /* Copy in the key, mark error as valid */
  64     error = SDL_GetErrBuf();
>  65     error->error =1;
  66     SDL_strlcpy((char *) error->key, fmt, sizeof(error->key));
  67 
  68     va_start(ap, fmt);
  69     error->argc = 0;
  70     while (*fmt) {

// ./loadjpg_g /work/pwd-libsdl2-loadjpg-00/vuln/vuln/SDL_SetError_REAL\@SDL_error.c\:65-18___SEGV_UNKNOW
// *** Error in `./loadjpg_g': free(): invalid next size (fast): 0x00000000019377b0 ***
// ======= Backtrace: =========
// /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f81fd0757e5]
// /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f81fd07e37a]
// /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f81fd08253c]
// /src/libsdl2/installed-debug/lib/libSDL2-2.0.so.0(+0x5fa1c)[0x7f81fd427a1c]
// /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadPCX_RW+0x638)[0x7f81fd6dd7d8]
// /src/SDL2_image-2.0.4/installed-debug/lib/libSDL2_image-2.0.so.0(IMG_LoadTyped_RW+0x150)[0x7f81fd6d9d00]
// ./loadjpg_g[0x4007e2]
// /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f81fd01e830]
// ./loadjpg_g[0x4006d9]
// ======= Memory map: ========
// 00400000-00401000 r-xp 00000000 00:27 4750                               /src/loadjpg_g
// 00600000-00601000 r--p 00000000 00:27 4750                               /src/loadjpg_g
// 00601000-00602000 rw-p 00001000 00:27 4750                               /src/loadjpg_g

bug report

ASAN:DEADLYSIGNAL
=================================================================
==8792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4862d2f32f bp 0x7ffd94dc6270 sp 0x7ffd94dc5c20 T0)
    # 0 0x7f4862d2f32e in SDL_SetError_REAL /src/libsdl2/src/SDL_error.c:65:18
    # 1 0x7f4862d315a1 in SDL_Error_REAL /src/libsdl2/src/SDL_error.c:172:16
    # 2 0x7f4862d9d0c2 in stdio_read /src/libsdl2/src/file/SDL_rwops.c:387:9
    # 3 0x7f4863301b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17
    # 4 0x7f48632f09bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    # 5 0x7f48632eff41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    # 6 0x4ea140 in main /src/loadjpg.c:8:37
    # 7 0x7f4861df682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    # 8 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/SDL_error.c:65:18 in SDL_SetError_REAL
==8792==ABORTING

others

from fuzz project pwd-libsdl2-loadjpg-00
crash name pwd-libsdl2-loadjpg-00-00000023-20190419.jpg
Auto-generated by pyspider at 2019-04-19 03:02:22

On 2019-05-28 15:00:38 +0000, Hugo Lefeuvre wrote:

This issue was assigned CVE-2019-12219.

I can also confirm that the bug is located in SDL_image.

This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).

Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4621.

On 2019-06-10 23:22:35 +0000, Sam Lantinga wrote:

This is fixed, thanks!