Segmentation fault caused by null pointer exception

Question

Segmentation fault caused by null pointer exception

Half-Quarter opened this issue 4 years ago · 1 comments

We found a segfault fault in your software. When the parameter of "history" malloc on line 6484 of stb_image.h i
s too large and returns 0, the memset on line 6492 will crash.

The relevant code that caused the error

  first_frame = 0; 
   if (g->out == 0) {
      if (!stbi__gif_header(s, g, comp,0))     return 0; // stbi__g_failure_reason set by stbi__gif_header
      g->out = (stbi_uc *) stbi__malloc(4 * g->w * g->h);
      g->background = (stbi_uc *) stbi__malloc(4 * g->w * g->h); 
      g->history = (stbi_uc *) stbi__malloc(g->w * g->h); 
      if (g->out == 0)                      return stbi__errpuc("outofmem", "Out of memory");

      // image is treated as "tranparent" at the start - ie, nothing overwrites the current background; 
      // background colour is only used for pixels that are not rendered first frame, after that "background"
      // color refers to teh color that was there the previous frame. 
      memset( g->out, 0x00, 4 * g->w * g->h ); 
      memset( g->background, 0x00, 4 * g->w * g->h ); // state of the background (starts transparent)
      memset( g->history, 0x00, g->w * g->h );        // pixels that were affected previous frame
      first_frame = 1; 
   } else {
      // second frame - how do we dispoase of the previous one?
      dispose = (g->eflags & 0x1C) >> 2; 
      pcount = g->w * g->h; 

      if ((dispose == 3) && (two_back == 0)) {
         dispose = 2; // if I don't have an image to revert back to, default to the old background
      }

      if (dispose == 3) { // use previous graphic
         for (pi = 0; pi < pcount; ++pi) {
            if (g->history[pi]) {
               memcpy( &g->out[pi * 4], &two_back[pi * 4], 4 ); 
            }
         }
      } else if (dispose == 2) { 
         // restore what was changed last frame to background before that frame; 
         for (pi = 0; pi < pcount; ++pi) {
            if (g->history[pi]) {
               memcpy( &g->out[pi * 4], &g->background[pi * 4], 4 ); 
            }
         }
      } else {
         // This is a non-disposal case eithe way, so just 
         // leave the pixels as is, and they will become the new background
         // 1: do not dispose
         // 0:  not specified.
      }

      // background is what out is after the undoing of the previou frame; 
      memcpy( g->background, g->out, 4 * g->w * g->h ); 
   }

We are the result of fuzzing test using gif, this is the poc we got crash：

00000000: 4749 4638 3961 2080 ffff ff03 0000 0000  GIF89a .........
00000010: ff00 00ff ff00 ffff ff21 f904 0000 0000  .........!......
00000020: 002c 0000 0000 2000 2000 0002 849c cfa9  .,.... . .......

Answer 1 · 2020-11-07T09:20:37.000Z

That code is from an external lib stb_image, you should open the issue on their repository