Menu
▾
▴
1 Attachments
#298 heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp
There is a heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp whick may cause a code execution or denial of service.
The asan log as below:
=================================================================
==28346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4b02ca0 at pc 0x081595db bp 0xff8e4b28 sp 0xff8e4b20
WRITE of size 1 at 0xf4b02ca0 thread T0
#0 0x81595da in LoadPixelDataRLE8(FreeImageIO*, void*, int, int, FIBITMAP*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22
#1 0x8153442 in LoadWindowsBMP(FreeImageIO*, void*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:555:11
#2 0x8153442 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12
#3 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
#4 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
#5 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
#6 0xf7290fb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16
#7 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5)
0xf4b02ca0 is located 0 bytes to the right of 544-byte region [0xf4b02a80,0xf4b02ca0)
allocated by thread T0 here:
#0 0x80e6675 in malloc (/home/FreeImage/TestAPI/testAPI+0x80e6675)
#1 0x812aa32 in FreeImage_Aligned_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19
#2 0x812aa32 in FreeImage_AllocateBitmap(int, unsigned char*, unsigned int, FREE_IMAGE_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26
#3 0x812b600 in FreeImage_AllocateHeader /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:482:9
#4 0x8152bf1 in LoadWindowsBMP(FreeImageIO*, void*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:494:11
#5 0x8152bf1 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12
#6 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
#7 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
#8 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
#9 0xf7290fb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22 in LoadPixelDataRLE8(FreeImageIO*, void*, int, int, FIBITMAP*)
Shadow bytes around the buggy address:
0x3e960540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e960550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e960560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e960570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e960580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e960590: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x3e9605a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9605b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e9605c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e9605d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e9605e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==28346==ABORTING
fixed in the SVN