We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
These attachments are available in the static archive:
Reported in version: 2.0.4 Reported for operating system, platform: Linux, x86_64
On 2019-05-09 06:46:23 +0000, pwd wrote:
Created attachment 3779 poc libsdl2 version libsdl2 2.0.9 others please send email to teamseri0us360@gmail.com if you have any questions. SDL_FreePalette_REAL@SDL_pixels.c:731-9___SEGV_UNKNOW description An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an out-of-bounds read in function SDL_FreePalette_REAL at SDL_pixels.c:731-9 commandline loadjpg @@ source 727 if (!palette) { 728 SDL_InvalidParamError("palette"); 729 return; 730 } > 731 if (--palette->refcount > 0) { 732 return; 733 } 734 SDL_free(palette->colors); 735 SDL_free(palette); 736 } // Breakpoint 2, SDL_FreePalette_REAL (palette=0x60300000efe0) at /src/libsdl2/src/video/SDL_pixels.c:731 // 731 if (--palette->refcount > 0) { // (gdb) p palette // $4 = (SDL_Palette *) 0x60300000efe0 // (gdb) c // Continuing. // Breakpoint 2, SDL_FreePalette_REAL (palette=0xe7f301010004ff0b) at /src/libsdl2/src/video/SDL_pixels.c:731 // 731 if (--palette->refcount > 0) { // (gdb) p palette // $5 = (SDL_Palette *) 0xe7f301010004ff0b // (gdb) bug report ASAN:DEADLYSIGNAL ================================================================= ==3914==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f61229a1ea0 bp 0x0c0c00001df9 sp 0x7fffa5db4690 T0) # 0 0x7f61229a1e9f in SDL_FreePalette_REAL /src/libsdl2/src/video/SDL_pixels.c:731:9 # 1 0x7f61229a1e9f in SDL_SetPixelFormatPalette_REAL /src/libsdl2/src/video/SDL_pixels.c:685 # 2 0x7f61229b3f96 in SDL_SetSurfacePalette_REAL /src/libsdl2/src/video/SDL_surface.c:221:9 # 3 0x7f61229b3f96 in SDL_FreeSurface_REAL /src/libsdl2/src/video/SDL_surface.c:1233 # 4 0x7f6122d070b1 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:252:13 # 5 0x7f6122cf49bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 6 0x7f6122cf3f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 7 0x4ea140 in main /src/loadjpg.c:8:37 # 8 0x7f61217fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/video/SDL_pixels.c:731:9 in SDL_FreePalette_REAL ==3914==ABORTING others from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000001-20190418.jpg Auto-generated by pyspider at 2019-04-18 06:32:03
Created attachment 3779 poc
libsdl2 2.0.9
please send email to teamseri0us360@gmail.com if you have any questions.
An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an out-of-bounds read in function SDL_FreePalette_REAL at SDL_pixels.c:731-9
loadjpg @@
727 if (!palette) { 728 SDL_InvalidParamError("palette"); 729 return; 730 } > 731 if (--palette->refcount > 0) { 732 return; 733 } 734 SDL_free(palette->colors); 735 SDL_free(palette); 736 } // Breakpoint 2, SDL_FreePalette_REAL (palette=0x60300000efe0) at /src/libsdl2/src/video/SDL_pixels.c:731 // 731 if (--palette->refcount > 0) { // (gdb) p palette // $4 = (SDL_Palette *) 0x60300000efe0 // (gdb) c // Continuing. // Breakpoint 2, SDL_FreePalette_REAL (palette=0xe7f301010004ff0b) at /src/libsdl2/src/video/SDL_pixels.c:731 // 731 if (--palette->refcount > 0) { // (gdb) p palette // $5 = (SDL_Palette *) 0xe7f301010004ff0b // (gdb)
ASAN:DEADLYSIGNAL ================================================================= ==3914==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f61229a1ea0 bp 0x0c0c00001df9 sp 0x7fffa5db4690 T0) # 0 0x7f61229a1e9f in SDL_FreePalette_REAL /src/libsdl2/src/video/SDL_pixels.c:731:9 # 1 0x7f61229a1e9f in SDL_SetPixelFormatPalette_REAL /src/libsdl2/src/video/SDL_pixels.c:685 # 2 0x7f61229b3f96 in SDL_SetSurfacePalette_REAL /src/libsdl2/src/video/SDL_surface.c:221:9 # 3 0x7f61229b3f96 in SDL_FreeSurface_REAL /src/libsdl2/src/video/SDL_surface.c:1233 # 4 0x7f6122d070b1 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:252:13 # 5 0x7f6122cf49bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17 # 6 0x7f6122cf3f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12 # 7 0x4ea140 in main /src/loadjpg.c:8:37 # 8 0x7f61217fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) # 9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/video/SDL_pixels.c:731:9 in SDL_FreePalette_REAL ==3914==ABORTING
from fuzz project pwd-libsdl2-loadjpg-00 crash name pwd-libsdl2-loadjpg-00-00000001-20190418.jpg Auto-generated by pyspider at 2019-04-18 06:32:03
On 2019-05-28 14:52:21 +0000, Hugo Lefeuvre wrote:
This issue was assigned CVE-2019-12220. I confirm that the bug is located in SDL_image. This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).
This issue was assigned CVE-2019-12220.
I confirm that the bug is located in SDL_image.
This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).
On 2019-05-28 14:52:54 +0000, Hugo Lefeuvre wrote:
(see https://bugzilla.libsdl.org/show_bug.cgi?id=4621)
On 2019-06-10 23:21:42 +0000, Sam Lantinga wrote:
This is fixed, thanks!
The text was updated successfully, but these errors were encountered:
No branches or pull requests
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-05-09 06:46:23 +0000, pwd wrote:
On 2019-05-28 14:52:21 +0000, Hugo Lefeuvre wrote:
On 2019-05-28 14:52:54 +0000, Hugo Lefeuvre wrote:
On 2019-06-10 23:21:42 +0000, Sam Lantinga wrote:
The text was updated successfully, but these errors were encountered: