An issue was discovered in libsixel 1.8.2, There is a/an heap-buffer-overflow in function sixel_decode_raw_impl at fromsixel.c:608-41
commandline
img2sixel @@ -o /dev/null
source
604 }
605 c <<= 1;
606 }
607 for (y = context->pos_y + i; y < context->pos_y + i + n; ++y) {
> 608 me \*bug=>*\ mset(image->data + image->width * y + context->pos_x,
609 context->color_index,
610 (size_t)context->repeat_count);
611 }
612 if (context->max_x < (context->pos_x + context->repeat_count - 1)) {
613 context->max_x = context->pos_x + context->repeat_count - 1;
bug report
=================================================================
==11466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009200 at pc 0x0000004a2fb5 bp 0x7ffc5f4c8500 sp 0x7ffc5f4c7cb0
WRITE of size 2147483647 at 0x629000009200 thread T0
#0 0x4a2fb4 in __asan_memset (/src/aflbuild/installed/bin/img2sixel+0x4a2fb4)
#1 0x7fc638b15334 in sixel_decode_raw_impl /src/libsixel/src/fromsixel.c:608:41
#2 0x7fc638b18964 in sixel_decode_raw /src/libsixel/src/fromsixel.c:881:14
#3 0x7fc638b7291e in load_sixel /src/libsixel/src/loader.c:613:14
#4 0x7fc638b7291e in load_with_builtin /src/libsixel/src/loader.c:782
#5 0x7fc638b7291e in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
#6 0x7fc638c1c5bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
#7 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
#8 0x7fc63775982f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x418d38 in _start (/src/aflbuild/installed/bin/img2sixel+0x418d38)
0x629000009200 is located 0 bytes to the right of 16384-byte region [0x629000005200,0x629000009200)
allocated by thread T0 here:
#0 0x4b8e68 in malloc (/src/aflbuild/installed/bin/img2sixel+0x4b8e68)
#1 0x7fc638b1805b in image_buffer_resize /src/libsixel/src/fromsixel.c:292:35
SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/img2sixel+0x4a2fb4) in __asan_memset
Shadow bytes around the buggy address:
0x0c527fff91f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff9240:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11466==ABORTING
others
from fuzz project pwd-libsixel-img2sixel-03
crash name pwd-libsixel-img2sixel-03-00000032-20191120.pnm
Auto-generated by pyspider at 2019-11-20 19:32:45
please send email to teamseri0us360@gmail.com if you have any questions.
libsixel
version
description
download link
others
sixel_decode_raw_impl@fromsixel.c:608-41___heap-buffer-overflow
description
commandline
source
bug report
others