Bug#887584: Constructing a special file can cause libfreeimage3 to crash

[wang yan]

Subject: Constructing a special file can cause libfreeimage3 to crash
Package: libfreeimage3
Version: 3.17.0+ds1-5
Tags: upstream
Severity: important

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libfreeimage3 depends on:
ii  libc6            2.24-11+deb9u1
ii  libgcc1          1:6.3.0-18
ii  libilmbase12     2.2.0-12
ii  libjpeg62-turbo  1:1.5.1-2
ii  libjxr0          1.1-6+b1
ii  libopenexr22     2.2.0-11+b1
ii  libopenjp2-7     2.1.2-1.1+deb9u2
ii  libpng16-16      1.6.28-1
ii  libraw15         0.17.2-6+deb9u1
ii  libstdc++6       6.3.0-18
ii  libtiff5         4.0.8-2+deb9u1
ii  libwebp6         0.5.2-1
ii  libwebpmux2      0.5.2-1
ii  zlib1g           1:1.2.8.dfsg-5

root@debian:~/Desktop# dpkg --list libfreeimage3
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  libfreeimage3: 3.17.0+ds1-5 amd64        Support library for graphics imag


root@debian:/opt# ls
FreeImage_Fuzzer.c
root@debian:/opt# g++ FreeImage_Fuzzer.c 
/usr/lib/x86_64-linux-gnu/libfreeimage-3.17.0.so -o FreeImage_Fuzz
root@debian:/opt# ./FreeImage_Fuzz id_000196,sig_11,src_002098,op_flip1,pos_2
Segmentation fault
root@debian:/opt#

This Dos is suitable for all Freeimage applications.

Reference link:
https://sourceforge.net/projects/freeimage/





#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <iostream>       
using namespace std;  


#include "FreeImage.h"





FIBITMAP* GenericLoader(const char* lpszPathName, int flag) {
        FREE_IMAGE_FORMAT fif = FIF_UNKNOWN;

        // check the file signature and deduce its format
        // (the second argument is currently not used by FreeImage)
        fif = FreeImage_GetFileType(lpszPathName, 0);
        if(fif == FIF_UNKNOWN) {
                // no signature ?
                // try to guess the file format from the file extension
                fif = FreeImage_GetFIFFromFilename(lpszPathName);
        }
        // check that the plugin has reading capabilities ...
        if((fif != FIF_UNKNOWN) && FreeImage_FIFSupportsReading(fif)) {
                // ok, let's load the file
                FIBITMAP *dib = FreeImage_Load(fif, lpszPathName, flag);
                // unless a bad file format, we are done !
                return dib;
        }
        return NULL;
}

/** Generic image writer
@param dib Pointer to the dib to be saved
@param lpszPathName Pointer to the full file name
@param flag Optional save flag constant
@return Returns true if successful, returns false otherwise
*/
bool GenericWriter(FIBITMAP* dib, const char* lpszPathName, int flag) {
        FREE_IMAGE_FORMAT fif = FIF_UNKNOWN;
        BOOL bSuccess = false;

        if (dib) {
                // try to guess the file format from the file extension
                fif = FreeImage_GetFIFFromFilename(lpszPathName);
                if (fif != FIF_UNKNOWN) {
                        // check that the plugin has sufficient writing and 
export capabilities ...
                        WORD bpp = FreeImage_GetBPP(dib);
                        if (FreeImage_FIFSupportsWriting(fif) && 
FreeImage_FIFSupportsExportBPP(fif, bpp)) {
                                // ok, we can save the file
                                bSuccess = FreeImage_Save(fif, dib, 
lpszPathName, flag);
                                // unless an abnormal bug, we are done !
                        }
                }
        }
        return (bSuccess == true) ? true : false;
}

/**
FreeImage error handler
@param fif Format / Plugin responsible for the error
@param message Error message
*/
void FreeImageErrorHandler(FREE_IMAGE_FORMAT fif, const char *message) {
        cout << "\n*** ";
        if (fif != FIF_UNKNOWN) {
                cout << FreeImage_GetFormatFromFIF(fif) << " Format\n";
        }
        cout << message;
        cout << " ***\n";
}

bool FreeImage_Fuzzer(char* lpFileName)
{
        // Load the bitmap
        FIBITMAP *dib = GenericLoader(lpFileName, 0);
        if (!dib)
                return false;

        int width = FreeImage_GetWidth(dib);
        int height = FreeImage_GetHeight(dib);

        FreeImage_Unload(dib);
        return true;
}


int main(int argc, char *argv[])
{
        // call this ONLY when linking with FreeImage as a static library
#ifdef FREEIMAGE_LIB
        FreeImage_Initialise();
#endif // FREEIMAGE_LIB

        // initialize your own FreeImage error handler

        FreeImage_SetOutputMessage(FreeImageErrorHandler);

        if (argc != 2) {
        printf("Usage : ShowMetadata <input file name>\n");
                return 0;
        }

        if (FreeImage_Fuzzer(argv[1]))  {
                printf("Open %s Sucessed.\n", argv[1]);
        }
        else
        {
                printf("Open %s Failed.\n", argv[1]);
        }

#ifdef FREEIMAGE_LIB
        FreeImage_DeInitialise();
#endif // FREEIMAGE_LIB

        return 0;

}

id_000196,sig_11,src_002098,op_flip1,pos_2
Description: id_000196,sig_11,src_002098,op_flip1,pos_2

-- 
debian-science-maintainers mailing list
debian-science-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers