search

hzeller / timg

A terminal image and video viewer.
GNU General Public License v2.0
1.91k stars 73 forks source link

Detected memory leaks on timg #119

Closed Frank-Z7 closed 11 months ago

Frank-Z7 commented 11 months ago

Memory leaks on timg

Description

When running timg under the "-g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15" configuration options, we found two memory leaks in the function main at /src/timg.cc:541:30 and /src/timg.cc:961:35.

Command1

./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 id\:000000\,sig\:06\,src\:001731\,time\:1596515\,execs\:39195\,op\:havoc\,rep\:3

ASAN Log1

cd timg

./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 id\:000000\,sig\:06\,src\:001731\,time\:1596515\,execs\:39195\,op\:havoc\,rep\:3

=================================================================
==2978288==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 5 byte(s) in 1 object(s) allocated from:
    #0 0x487e04 in strdup (/afltest/timg/src/timg+0x487e04)
    #1 0x4d08a2 in main /afltest/timg/src/timg.cc:541:30
    #2 0x7ffff7587082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 5 byte(s) leaked in 1 allocation(s).

Location1

main /afltest/timg/src/timg.cc:541:30

image-20231011232841632

PoC1:

https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/id_000000%2Csig_06%2Csrc_001731%2Ctime_1596515%2Cexecs_39195%2Cop_havoc%2Crep_3

Command2

./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 poc2timg

ASAN Log2

cd timg

./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 poc2timg

=================================================================
==581413==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1056 byte(s) in 1 object(s) allocated from:
    #0 0x49c4f7 in posix_memalign (/afltest/timg/src/timg+0x49c4f7)
    #1 0x3d39bcf in av_malloc /afltest/ffmpeg/ffmpeg-4.2.4/libavutil/mem.c:87:9
    #2 0x209894c in avcodec_alloc_context3 /afltest/ffmpeg/ffmpeg-4.2.4/libavcodec/options.c:158:28
    #3 0x4fb0de in timg::ImageSource::Create(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, timg::DisplayOptions const&, int, int, bool, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /afltest/timg/src/image-source.cc:198:21
    #4 0x4e95aa in main::$_5::operator()() const /afltest/timg/src/timg.cc:961:35
    #5 0x4e95aa in std::_Function_handler<timg::ImageSource* (), main::$_5>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:285:9
    #6 0x4eb9cd in std::function<timg::ImageSource* ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:688:14
    #7 0x4eb9cd in std::future<timg::ImageSource*> timg::ThreadPool::ExecAsync<timg::ImageSource*>(std::function<timg::ImageSource* ()>)::'lambda'()::operator()() const /afltest/timg/src/thread-pool.h:50:26
    #8 0x4eb9cd in std::_Function_handler<void (), std::future<timg::ImageSource*> timg::ThreadPool::ExecAsync<timg::ImageSource*>(std::function<timg::ImageSource* ()>)::'lambda'()>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:300:2
    #9 0x4dfaae in std::function<void ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:688:14
    #10 0x4dfaae in timg::ThreadPool::Runner() /afltest/timg/src/thread-pool.h:76:13
    #11 0x7ffff787bdf3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6df3)

Direct leak of 5 byte(s) in 1 object(s) allocated from:
    #0 0x487e04 in strdup (/afltest/timg/src/timg+0x487e04)
    #1 0x4d08a2 in main /afltest/timg/src/timg.cc:541:30
    #2 0x7ffff7587082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 1061 byte(s) leaked in 2 allocation(s).

Location2

image-20231011235712737

PoC2:

https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc2timg

Version

timg v1.5.2-2-gc5635a0 2023-09-01 05:16:08 -0700 <https://timg.sh/>
Copyright (c) 2016..2023 Henner Zeller. This program is free software; license GPL 2.0.

Image decoding GraphicsMagick 1.3.35 (2020-02-23)
Turbo JPEG
QOI image loading
STB image loading fallback
swscale 5.5.100
Video decoding libav 58.29.100; avdevice 58.8.100
Half, quarter, iterm2, and kitty graphics output: timg builtin.
Libsixel version 1.8.2

Reference

https://github.com/hzeller/timg

Actual Behavior

Memory leaks

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Thanks for your time!

Credit

Zeng Yunxiang

Song Jiaxuan