It is a heap-buffer-overflow vulnerability in in_bmp_reader (in_bmp.cpp:31)

[fantasy7082]

Hi, i found a heap-buffer-overflow vulnerability in the sam2p 0.49.4, the details are below(ASAN):

> ./sam2p 012-heap-bmpreader EPS: /dev/null 
> This is sam2p 0.49.4.
> Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
> Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
> ==13194==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffff7fa1100 at pc 0x7ffff6ef6935 bp 0x7fffffffd820 sp 0x7fffffffcfc8
> READ of size 1776384 at 0x7ffff7fa1100 thread T0
>     #0 0x7ffff6ef6934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
>     #1 0x4268c5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
>     #2 0x4268c5 in in_bmp_reader /root/sam2p_ASAN2/sam2p/in_bmp.cpp:31
>     #3 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
>     #4 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
>     #5 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
>     #6 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #7 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
> 
> 0x7ffff7fa1100 is located 0 bytes to the right of 592128-byte region [0x7ffff7f10800,0x7ffff7fa1100)
> allocated by thread T0 here:
>     #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
>     #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35
>     #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
> Shadow bytes around the buggy address:
>   0x10007efec1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10007efec1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10007efec1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10007efec200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10007efec210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x10007efec220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x10007efec230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x10007efec240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x10007efec250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x10007efec260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x10007efec270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
> ==13194==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/012-heap-bmpreader

[pts]

Thank you for reporting this! Fixed in 4737871.