Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

an out-of-bounds read in function SDL_FreePalette_REAL at SDL_pixels.c:731-9 #153

Closed
SDLBugzilla opened this issue Feb 11, 2021 · 0 comments

Comments

@SDLBugzilla
Copy link
Collaborator

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

Reported in version: 2.0.4
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-05-09 06:46:23 +0000, pwd wrote:

Created attachment 3779
poc

libsdl2

version

libsdl2 2.0.9

others

please send email to  teamseri0us360@gmail.com if you have any questions.

SDL_FreePalette_REAL@SDL_pixels.c:731-9___SEGV_UNKNOW

description

An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is an out-of-bounds read in function SDL_FreePalette_REAL at SDL_pixels.c:731-9

commandline

loadjpg  @@ 

source

 727     if (!palette) {
 728         SDL_InvalidParamError("palette");
 729         return;
 730     }
> 731     if (--palette->refcount > 0) {
 732         return;
 733     }
 734     SDL_free(palette->colors);
 735     SDL_free(palette);
 736 }

// Breakpoint 2, SDL_FreePalette_REAL (palette=0x60300000efe0) at /src/libsdl2/src/video/SDL_pixels.c:731
// 731         if (--palette->refcount > 0) {
// (gdb) p palette
// $4 = (SDL_Palette *) 0x60300000efe0
// (gdb) c
// Continuing.

// Breakpoint 2, SDL_FreePalette_REAL (palette=0xe7f301010004ff0b) at /src/libsdl2/src/video/SDL_pixels.c:731
// 731         if (--palette->refcount > 0) {
// (gdb) p palette
// $5 = (SDL_Palette *) 0xe7f301010004ff0b
// (gdb)

bug report

ASAN:DEADLYSIGNAL
=================================================================
==3914==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f61229a1ea0 bp 0x0c0c00001df9 sp 0x7fffa5db4690 T0)
    # 0 0x7f61229a1e9f in SDL_FreePalette_REAL /src/libsdl2/src/video/SDL_pixels.c:731:9
    # 1 0x7f61229a1e9f in SDL_SetPixelFormatPalette_REAL /src/libsdl2/src/video/SDL_pixels.c:685
    # 2 0x7f61229b3f96 in SDL_SetSurfacePalette_REAL /src/libsdl2/src/video/SDL_surface.c:221:9
    # 3 0x7f61229b3f96 in SDL_FreeSurface_REAL /src/libsdl2/src/video/SDL_surface.c:1233
    # 4 0x7f6122d070b1 in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:252:13
    # 5 0x7f6122cf49bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    # 6 0x7f6122cf3f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    # 7 0x4ea140 in main /src/loadjpg.c:8:37
    # 8 0x7f61217fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    # 9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libsdl2/src/video/SDL_pixels.c:731:9 in SDL_FreePalette_REAL
==3914==ABORTING

others

from fuzz project pwd-libsdl2-loadjpg-00
crash name pwd-libsdl2-loadjpg-00-00000001-20190418.jpg
Auto-generated by pyspider at 2019-04-18 06:32:03

On 2019-05-28 14:52:21 +0000, Hugo Lefeuvre wrote:

This issue was assigned CVE-2019-12220.

I confirm that the bug is located in SDL_image.

This issue is very similar to # 4621 (CVE-2019-12222) and is fixed by the same patch ([PATCH] pcx: cast size and check calloc return value).

On 2019-05-28 14:52:54 +0000, Hugo Lefeuvre wrote:

(see https://bugzilla.libsdl.org/show_bug.cgi?id=4621)

On 2019-06-10 23:21:42 +0000, Sam Lantinga wrote:

This is fixed, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant