A heap-buffer-overflow found in function load_pnm at frompnm.c:289-50, due to integer overflow

[YourButterfly]

libsixel

version

libsixel 1.8.2

description

None

download link

None

others

please send email to  teamseri0us360@gmail.com if you have any questions.

---

load_pnm@frompnm.c:289-50___heap-buffer-overflow

description

An issue was discovered in libsixel 1.8.2, There is a/an heap-buffer-overflow in function load_pnm at frompnm.c:289-50

commandline

img2sixel @@ -o /dev/null

source

 285                 goto unknown;
 286             }
 287 
 288             *(*result + (y * width + x) * 3 + 0) = component[0];
> 289             *(*result + (y * width + x) * 3 + 1) =  \*bug=>*\ component[1];
 290             *(*result + (y * width + x) * 3 + 2) = component[2];
 291         }
 292     }
 293 
 294     *psx = width;

bug report

=================================================================
==14542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f21c at pc 0x7f8b8b6e9f1c bp 0x7ffc5d2e6fb0 sp 0x7ffc5d2e6fa8
WRITE of size 1 at 0x61d00001f21c thread T0
    #0 0x7f8b8b6e9f1b in load_pnm /src/libsixel/src/frompnm.c:289:50
    #1 0x7f8b8b64e415 in load_with_builtin /src/libsixel/src/loader.c:801:18
    #2 0x7f8b8b64e415 in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
    #3 0x7f8b8b6f95bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
    #4 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
    #5 0x7f8b8a23682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x418d38 in _start (/src/aflbuild/installed/bin/img2sixel+0x418d38)

0x61d00001f21c is located 0 bytes to the right of 1948-byte region [0x61d00001ea80,0x61d00001f21c)
allocated by thread T0 here:
    #0 0x4b8e68 in malloc (/src/aflbuild/installed/bin/img2sixel+0x4b8e68)
    #1 0x7f8b8b6e87b7 in load_pnm /src/libsixel/src/frompnm.c:211:32
    #2 0x7f8b8b64e415 in load_with_builtin /src/libsixel/src/loader.c:801:18
    #3 0x7f8b8b64e415 in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
    #4 0x7f8b8b6f95bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
    #5 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
    #6 0x7f8b8a23682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libsixel/src/frompnm.c:289:50 in load_pnm
Shadow bytes around the buggy address:
  0x0c3a7fffbdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbe40: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14542==ABORTING

others

from fuzz project pwd-libsixel-img2sixel-03
crash name pwd-libsixel-img2sixel-03-00000050-20191121.pnm
Auto-generated by pyspider at 2019-11-21 05:33:37

please send email to  teamseri0us360@gmail.com if you have any questions.

[carnil]

CVE-2019-19638 was assigned for this issue.

[saitoha]

Merged your PR on v1.8.3. Thanks!