CVE-2018-20545

[fgeek]

Following vulnerability has been reported to Red Hat issue tracker:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545 https://bugzilla.redhat.com/show_bug.cgi?id=1652621

./img2txt POC0

version: libcaca0.99beta19
Summary: 

There is an illegal WRITE memory access at src/common-image.c:203 (function:load_image )in libcaca latest version.

Description:

The asan debug is as follows:

$./img2txt POC0

=================================================================
==28346==ERROR: AddressSanitizer: SEGV on unknown address 0x6020ffff0030 (pc 0x5643f5ff307a bp 0x603000000010 sp 0x7ffde48056e0 T0)
==28346==The signal is caused by a WRITE memory access.
    #0 0x5643f5ff3079 in load_image /home/company/real/libcaca-master/src/common-image.c:203
    #1 0x5643f5ff17c7 in main /home/company/real/libcaca-master/src/img2txt.c:171
    #2 0x7fde504511c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #3 0x5643f5ff1f09 in _start (/home/company/real/libcaca-master/install_asan/bin/img2txt+0x2f09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/company/real/libcaca-master/src/common-image.c:203 in load_image
==28346==ABORTING

[fgeek]

Confirmed in f1267fbd3cd3635a628c30e523fe1217f0f8a3b3. Minimized sample CVE-2018-20545.zip with afl-tmin (SHA1: 804ae44ad65e54d69f23eb88af73cae77c2a0d1e)

00000000  42 4d 30 30 30 30 30 30  30 30 76 00 00 00 28 00  |BM00000000v...(.|
00000010  00 00 00 00 01 00 00 00  01 00 01 00 04 00 00 00  |................|
*
00000021

[samhocevar]

Thanks for the detailed report. Note that this only happens when the fallback BMP loader is used; in general, img2txt should be built with the Imlib2 library (autodetected by ./configure).