SEGV occured in bmp_img_free at libbmp.c:127

[bladchan]

Hi,

I am running some experiments for AFLAPI (fuzzing) and it has found a segmentation fault in bmp_img_free() at libbmp.c:127.

Environment: Ubuntu 18.04 + gcc 6.0

Driver program:

// read_bmp.c
#include<stdio.h>
#include "libbmp.h"

int main(int argc, char** argv){
	
	if(argc != 2) return 0;

	/* read bmp */
	
	bmp_img r_img;
	bmp_img_read(&r_img, argv[1]);
	bmp_img_free(&r_img);
	
	return 0;
}

Poc is here:
segv.zip

To reproduce:

1. Compile the driver program with ASAN:
   Compile with ASAN:

gcc -g -fsanitize=address read_bmp.c libbmp.c -o read_bmp

2. Run the poc:

$ ./read_bmp segv.bmp

ASAN says:

$ ./read_bmp segv.bmp 
ASAN:DEADLYSIGNAL
=================================================================
==76342==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x561ea99d4abe bp 0x7ffe97c196d0 sp 0x7ffe97c196b0 T0)
==76342==The signal is caused by a READ memory access.
==76342==Hint: address points to the zero page.
    #0 0x561ea99d4abd in bmp_img_free /home/ubuntu/some_c_test/libbmp/fuzz/libbmp.c:127
    #1 0x561ea99d3fdb in main /home/ubuntu/some_c_test/libbmp/fuzz/read_bmp.c:12
    #2 0x7f9169a71c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #3 0x561ea99d3e09 in _start (/home/ubuntu/some_c_test/libbmp/fuzz/read_bmp+0xe09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/some_c_test/libbmp/fuzz/libbmp.c:127 in bmp_img_free
==76342==ABORTING

[faber222]

You have to use bmp_img_init_df(&img, X, Y);
before using bmp_img_read().