** Description changed: Package: sam2p Version: 0.49.2 - 0.49.4 Source code:https://github.com/pts/sam2p Details: In function LoadPCX at in_pcx.cpp (Line 241,sam2p version:0.49.4): - Key code that causes crashes: - for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i; + Key code that causes crashes: + for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i; Crash Information: The output with address sanitizer enabled: - > ./sam2p 003-LoadPCX-heapover EPS: /dev/null + > ./sam2p 003-LoadPCX-heapover EPS: /dev/null > This is sam2p 0.49.4. > Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA. > Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb. > sam2p: Warning: PCX: PCX file appears to be truncated. > sam2p: Warning: PCX: Error reading PCX colormap. Using grayscale. > ==10136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000ae9e at pc 0x0000004329f6 bp 0x7fffffffd6d0 sp 0x7fffffffd6c0 > WRITE of size 1 at 0x60b00000ae9e thread T0 > #0 0x4329f5 in LoadPCX /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 > #1 0x4329f5 in in_pcx_reader /root/sam2p_ASAN2/sam2p/in_pcx.cpp:533 > #2 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427 > #3 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055 > #4 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148 > #5 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #6 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38) - > + > > 0x60b00000ae9e is located 2 bytes to the right of 108-byte region [0x60b00000ae30,0x60b00000ae9c) > allocated by thread T0 here: > #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35 > #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55 - > + > > SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/in_pcx.cpp:241 LoadPCX > Shadow bytes around the buggy address: > 0x0c167fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff95c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 > =>0x0c167fff95d0: 00 00 00[04]fa fa fa fa fa fa fa fa 00 00 00 00 > 0x0c167fff95e0: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa > 0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 07 > 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 - > Partially addressable: 01 02 03 04 05 06 07 + > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > ==10136==ABORTING + + reference link:https://github.com/pts/sam2p/issues/18
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751729 Title: a heap-buffer-overflow vulnerability in LoadPCX (in in_pcx.cpp) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sam2p/+bug/1751729/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
