Null pointer dereference vulnerability in MiniPS::delete0 getType() (minips.cpp:220)

[fantasy7082]

Hi, i found a null pointer dereferencebug in the sam2p 0.49.4. It crashed in function MiniPS::delete.the details are below(ASAN):

> ./sam2p 020-null-p-minips EPS: /dev/null 
> This is sam2p 0.49.4.
> Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
> Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
> sam2p: Notice: job: read InputFile: 020-null-p-minips
> sam2p: Notice: writeTTT: using template: l23
> sam2p: Notice: applyProfile: applied OutputRule #18 using applier PSL23+PDF
> sam2p: Notice: job: written OutputFile: /dev/null
> ASAN:SIGSEGV
> ==13183==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000043f8af bp 0x61500000fec0 sp 0x7fffffffd860 T0)
>     #0 0x43f8ae in MiniPS::Value::getType() const /root/sam2p_ASAN2/sam2p/minips.hpp:91
>     #1 0x43f8ae in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:220
>     #2 0x43f9d8 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.hpp:223
>     #3 0x43f9d8 in MiniPS::Array::free() /root/sam2p_ASAN2/sam2p/minips.cpp:376
>     #4 0x43f91f in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:222
>     #5 0x43f6ff in MiniPS::Dict::free() /root/sam2p_ASAN2/sam2p/minips.cpp:451
>     #6 0x43f907 in MiniPS::delete0(long) /root/sam2p_ASAN2/sam2p/minips.cpp:221
>     #7 0x4043e6 in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1103
>     #8 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
>     #9 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #10 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /root/sam2p_ASAN2/sam2p/minips.hpp:91 MiniPS::Value::getType() const
> ==13183==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/020-null-p-minips

[pts]

Thank you for reporting this!

I'm not able to reproduce this as of 22bb390. It does a successful conversion.

If you can reproduce the problem, please reopen the issue.

[fantasy7082]

@pts Well, i also find the problem later, you should disable ASAN when you compile with gcc7.x (but no problem in gcc 5.x). That means you can't compile the project with flag "-ggdb -fsanitize=address" :

cat /etc/issue
Ubuntu 17.10 \n \l

root@ubuntu:~/sam2p-asan2/sam2p-test/sam2p# gcc --version
gcc (Ubuntu 7.2.0-8ubuntu3.2) 7.2.0
Copyright (C) 2017 Free Software Foundation, Inc.

./configure --enable-gif --enable-lzw --prefix=/usr/local/sam2p-test/
....
make
....

./sam2p 020-null-p-minips EPS: /dev/null 
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
*** Error in `./sam2p': free(): invalid next size (normal): 0x000055bac6d182b0 ***
Aborted (core dumped)

gdb -q ./sam2p
Reading symbols from ./sam2p...done.
(gdb) r 020-null-p-minips EPS: /dev/null
Starting program: /root/sam2p-asan2/sam2p-test/sam2p/sam2p 020-null-p-minips EPS: /dev/null
This is sam2p 0.49.4.
Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
*** Error in `/root/sam2p-asan2/sam2p-test/sam2p/sam2p': free(): invalid next size (normal): 0x00005555558152b0 ***

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) l
46	in ../sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff76a7f5d in __GI_abort () at abort.c:90
#2  0x00007ffff76f028d in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7817528 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff76f764a in malloc_printerr (action=<optimized out>, str=0x7ffff7817888 "free(): invalid next size (normal)", 
    ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5426
#4  0x00007ffff76f973e in _int_free (av=0x7ffff7a49c20 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4175
#5  0x00007ffff76fe44e in __GI___libc_free (mem=<optimized out>) at malloc.c:3145
#6  0x000055555558c96c in Image::Sampled::~Sampled (__vtt_parm=0x5555557b0368 <VTT for Image::RGB+8>, this=0x5555557d67c0, 
    __in_chrg=<optimized out>) at image.hpp:118
#7  Image::RGB::~RGB (this=0x5555557d67c0, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at image.hpp:250
#8  Image::RGB::~RGB (this=0x5555557d67c0, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at image.hpp:250
#9  0x000055555558a5fb in Image::SampledInfo::SampledInfo (this=0x7fffffffe0e0, img_=0x5555557d67c0) at image.cpp:1516
#10 0x000055555555ba08 in run_sam2p_engine (sout=..., serr=..., argv1=<optimized out>, helpp=<optimized out>)
    at sam2p_main.cpp:1055
#11 0x000055555555b029 in main (argv=0x7fffffffe488) at sam2p_main.cpp:1148
(gdb)