ERROR: AddressSanitizer: SEGV on unknown address 0x61f00002ec7c

[EnchantedJohn]

I found another Bug of FLIF.

the error is :
Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...
ASAN:SIGSEGV
==91270==ERROR: AddressSanitizer: SEGV on unknown address 0x61f00002ec7c (pc 0x0000005c35fd sp 0x7ffff4203c00 bp 0x7ffff4203d60 T0)
#0 0x5c35fc in TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&) transform/palette_C.hpp:130
#1 0x72e7d8 in bool flif_encode(FileIO&, std::vector<Image, std::allocator >&, std::vector<std::string, std::allocatorstd::string > const&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif-enc.cpp:914
#2 0x4acaf5 in encode_flif(int, char**, std::vector<Image, std::allocator >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:344
#3 0x408c14 in main /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:763
#4 0x7fb8c0c43f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#5 0x49f14f (/home/lx/5_7/ASAN/FLIF-master/src/flif+0x49f14f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV transform/palette_C.hpp:130 TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)
==91270==ABORTING

[EnchantedJohn]

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x1
RBX: 0x7f7f
RCX: 0xd17540 --> 0x0
RDX: 0x0
RSI: 0x0
RDI: 0xd16980 --> 0x0
RBP: 0xce8690 --> 0x4b8d40 (StaticColorRanges::~StaticColorRanges(): lea rsp,[rsp-0x98])
RSP: 0x7fffffffdb70 --> 0xd16968 --> 0x0
RIP: 0x54d222 (<TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3810>: mov DWORD PTR [r11+rbx4],edx)
R8 : 0x2
R9 : 0x7ffff76837b8 --> 0xd17570 --> 0x0
R10: 0xd16960 --> 0xfeff00007f7f
R11: 0xd16980 --> 0x0
R12: 0xd16878 --> 0xd16960 --> 0xfeff00007f7f
R13: 0x7fffffffdbc0 --> 0x7fffffffe010 --> 0xd16550 --> 0xd05118 ("Channel_Compact")
R14: 0x7fffffffdbbc --> 0xffffe01000007f7f
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x54d218 <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3800>: movsxd rbx,DWORD PTR [r10+rax4]
0x54d21c <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3804>: lea eax,[rdx+0x1]
0x54d21f <TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3807>: cmp rax,r8
=> 0x54d222 <TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3810>: mov DWORD PTR [r11+rbx4],edx
0x54d226 <TransformPaletteC::process(ColorRanges const, std::vector<Image, std::allocator > const&)+3814>: mov rdx,rax
0x54d229 <TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3817>:
jb 0x54d1dd <TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3741>: jb 0x54d1dd <TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3741>
0x54d22b <TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3819>: nop
0x54d22c <TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&)+3820>: lea rsp,[rsp-0x98]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdb70 --> 0xd16968 --> 0x0
0008| 0x7fffffffdb78 --> 0xd16878 --> 0xd16960 --> 0xfeff00007f7f
0016| 0x7fffffffdb80 --> 0x4c97b0 (<TransformPaletteC::init(ColorRanges const*)>: lea rsp,[rsp-0x98])
0024| 0x7fffffffdb88 --> 0x7fffffffdbc8 --> 0x7fff00000000
0032| 0x7fffffffdb90 --> 0xd16901 --> 0x0
0040| 0x7fffffffdb98 --> 0xd16840 --> 0xce8690 --> 0x4b8d40 (StaticColorRanges::~StaticColorRanges(): lea rsp,[rsp-0x98])
0048| 0x7fffffffdba0 --> 0xd164b8 --> 0x31 ('1')
0056| 0x7fffffffdba8 --> 0x7fffffffe0e0 --> 0xd16400 --> 0xd05670 --> 0xce8410 --> 0x48de90 (<Plane::set(unsigned long, unsigned long, int)>: lea rsp,[rsp-0x98])
[------------------------------------------------------------------------------] blue
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000054d222 in TransformPaletteC::process (this=, srcRanges=0xd16840, images=std::vector of length 1, capacity 1 = {...}) at transform/palette_C.hpp:130
130 for (unsigned int i=0; i<CPalette_vector[p].size(); i++) CPalette_inv_vector[p][CPalette_vector[p][i]]=i;

[fouzhe]

Could you please attach the input file and tell me the FLIF version?

[hongxuchen]

The PoC file we found:
palette_C.hpp:130.txt

[EnchantedJohn]

@fouzhe FLIF' version is FLIF (Free Lossless Image Format) 0.3 [28 April 2017]

[fgeek]

Also reproduced in aad2083 and minimized with afl-tmin.

python3 -c "print ('P6\n5\n5050\n5050')" > flif-issue-506.txt
./flif --overwrite flif-issue-506.txt out.png

==19477==ERROR: AddressSanitizer: SEGV on unknown address 0x62a00002bffc (pc 0x5628a8616494 bp 0x7fffc813bca0 sp 0x7fffc813bac0 T0)
    #0 0x5628a8616493 in TransformPaletteC<FileIO>::process(ColorRanges const*, std::vector<Image, std::allocator<Image> > const&) transform/palette_C.hpp:130
    #1 0x5628a8759020 in bool flif_encode<FileIO>(FileIO&, std::vector<Image, std::allocator<Image> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, flif_options&) ./src/flif-enc.cpp:914
    #2 0x5628a8519f74 in encode_flif(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) ./src/flif.cpp:344
    #3 0x5628a84896de in main ./src/flif.cpp:763
    #4 0x7f78430d62e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x5628a850bfa9 in _start (./src/flif+0xa1fa9)