Menu
▾
▴
1 Attachments
#298 heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp
There is a heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp whick may cause a code execution or denial of service.
The asan log as below:
================================================================= ==28346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4b02ca0 at pc 0x081595db bp 0xff8e4b28 sp 0xff8e4b20 WRITE of size 1 at 0xf4b02ca0 thread T0 #0 0x81595da in LoadPixelDataRLE8(FreeImageIO*, void*, int, int, FIBITMAP*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22 #1 0x8153442 in LoadWindowsBMP(FreeImageIO*, void*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:555:11 #2 0x8153442 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12 #3 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #4 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #5 0x811a7a0 in main /home/FreeImage/test.cpp:115:8 #6 0xf7290fb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16 #7 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5) 0xf4b02ca0 is located 0 bytes to the right of 544-byte region [0xf4b02a80,0xf4b02ca0) allocated by thread T0 here: #0 0x80e6675 in malloc (/home/FreeImage/TestAPI/testAPI+0x80e6675) #1 0x812aa32 in FreeImage_Aligned_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19 #2 0x812aa32 in FreeImage_AllocateBitmap(int, unsigned char*, unsigned int, FREE_IMAGE_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26 #3 0x812b600 in FreeImage_AllocateHeader /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:482:9 #4 0x8152bf1 in LoadWindowsBMP(FreeImageIO*, void*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:494:11 #5 0x8152bf1 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12 #6 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #7 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #8 0x811a7a0 in main /home/FreeImage/test.cpp:115:8 #9 0xf7290fb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22 in LoadPixelDataRLE8(FreeImageIO*, void*, int, int, FIBITMAP*) Shadow bytes around the buggy address: 0x3e960540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e960550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e960560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e960570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e960580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e960590: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa 0x3e9605a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9605b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e9605c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e9605d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e9605e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==28346==ABORTING
fixed in the SVN