It is a heap-buffer-overflow vulnerability in pnm_load_rawpbm (input-pnm.ci:414)

[fantasy7082]

Hi, i found a heap-buffer-overflow vulnerability in the sam2p 0.49.4, the details are below(ASAN):

> ./sam2p 021-heap-pnm_load_rawpbm EPS: /dev/null 
> This is sam2p 0.49.4.
> Available Loaders: PS PDF JAI PNG JPEG TIFF PNM BMP GIF LBM XPM PCX TGA.
> Available Appliers: XWD Meta Empty BMP PNG TIFF6 TIFF6-JAI JPEG-JAI JPEG PNM GIF89a+LZW XPM PSL1C PSL23+PDF PSL2+PDF-JAI P-TrOpBb.
> ==13205==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000082b1 at pc 0x000000423067 bp 0x7fffffffd470 sp 0x7fffffffd460
> READ of size 1 at 0x6020000082b1 thread T0
>     #0 0x423066 in pnm_load_rawpbm /root/sam2p_ASAN2/sam2p/input-pnm.ci:414
>     #1 0x4243f1 in pnm_load_image(GenBuffer::Readable*) /root/sam2p_ASAN2/sam2p/input-pnm.ci:272
>     #2 0x424b25 in in_pnm_reader /root/sam2p_ASAN2/sam2p/in_pnm.cpp:29
>     #3 0x475999 in Image::load(Image::Loader::UFD*, SimBuffer::Flat const&, char const*) /root/sam2p_ASAN2/sam2p/image.cpp:1427
>     #4 0x40384a in run_sam2p_engine(Files::FILEW&, Files::FILEW&, char const* const*, bool) /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1055
>     #5 0x402463 in main /root/sam2p_ASAN2/sam2p/sam2p_main.cpp:1148
>     #6 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #7 0x402d38 in _start (/usr/local/sam2p-asan2/bin/sam2p+0x402d38)
> 
> 0x6020000082b1 is located 0 bytes to the right of 1-byte region [0x6020000082b0,0x6020000082b1)
> allocated by thread T0 here:
>     #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
>     #1 0x41df2a in emulate_cc_new /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:35
>     #2 0x41df2a in operator new[](unsigned long) /root/sam2p_ASAN2/sam2p/c_lgcc.cpp:55
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sam2p_ASAN2/sam2p/input-pnm.ci:414 pnm_load_rawpbm
> Shadow bytes around the buggy address:
>   0x0c047fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff9050: fa fa fa fa fa fa[01]fa fa fa 00 00 fa fa 00 04
>   0x0c047fff9060: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
>   0x0c047fff9070: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
>   0x0c047fff9080: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
>   0x0c047fff9090: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
>   0x0c047fff90a0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
> ==13205==ABORTING

POC FILE: https://github.com/fantasy7082/image_test/blob/master/021-heap-pnm_load_rawpbm

[pts]

Thank you for reporting this! Fixed in beea3bd.