FLIF crash with specific image: heap-buffer-overflow #513
Description
Hi, all.
This PAM image file can cause crash.
It can cause heap-buffer-overflow. Here is ASAN result and I attached the file.
Thanks.
Execute the following command:
./flif --overwrite -e id\:000009\,sig\:06\,src\:000000\,op\:flip1\,pos\:39 2.flif
ASAN result:
Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...
=================================================================
==17011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000040c0 at pc 0x00000060ceed bp 0x7ffd4a59bad0 sp 0x7ffd4a59bac8
WRITE of size 4 at 0x61b0000040c0 thread T0
#0 0x60ceec in TransformPaletteC<FileIO>::process(ColorRanges const*, std::vector<Image, std::allocator<Image> > const&) /home/fouzhe/my_fuzz/FLIF/src/transform/palette_C.hpp:130:112
#1 0x775220 in bool flif_encode<FileIO>(FileIO&, std::vector<Image, std::allocator<Image> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, flif_options&) /home/fouzhe/my_fuzz/FLIF/src/flif-enc.cpp:914:22
#2 0x53082a in encode_flif(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/fouzhe/my_fuzz/FLIF/src/flif.cpp:344:12
#3 0x53bed0 in handle_encode(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/fouzhe/my_fuzz/FLIF/src/flif.cpp:360:12
#4 0x53bed0 in main /home/fouzhe/my_fuzz/FLIF/src/flif.cpp:763
#5 0x7f3b72d8882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x427418 in _start (/home/fouzhe/my_fuzz/FLIF/src/flif+0x427418)
Address 0x61b0000040c0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fouzhe/my_fuzz/FLIF/src/transform/palette_C.hpp:130:112 in TransformPaletteC<FileIO>::process(ColorRanges const*, std::vector<Image, std::allocator<Image> > const&)
Shadow bytes around the buggy address:
0x0c367fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fff8810: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
0x0c367fff8820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb