saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.49k stars 83 forks source link

A heap-buffer-overflow in function sixel_decode_raw_impl at fromsixel.c:608-4, due to integer overflow #103

Closed YourButterfly closed 4 years ago

YourButterfly commented 4 years ago

libsixel

version

libsixel 1.8.2

description

None

download link

None

others

please send email to  teamseri0us360@gmail.com if you have any questions.

sixel_decode_raw_impl@fromsixel.c:608-41___heap-buffer-overflow

description

An issue was discovered in libsixel 1.8.2, There is a/an heap-buffer-overflow in function sixel_decode_raw_impl at fromsixel.c:608-41

commandline

img2sixel @@ -o /dev/null

source

 604                                         }
 605                                         c <<= 1;
 606                                     }
 607                                     for (y = context->pos_y + i; y < context->pos_y + i + n; ++y) {
> 608                                         me \*bug=>*\ mset(image->data + image->width * y + context->pos_x,
 609                                                context->color_index,
 610                                                (size_t)context->repeat_count);
 611                                     }
 612                                     if (context->max_x < (context->pos_x + context->repeat_count - 1)) {
 613                                         context->max_x = context->pos_x + context->repeat_count - 1;

bug report

=================================================================
==11466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009200 at pc 0x0000004a2fb5 bp 0x7ffc5f4c8500 sp 0x7ffc5f4c7cb0
WRITE of size 2147483647 at 0x629000009200 thread T0
    #0 0x4a2fb4 in __asan_memset (/src/aflbuild/installed/bin/img2sixel+0x4a2fb4)
    #1 0x7fc638b15334 in sixel_decode_raw_impl /src/libsixel/src/fromsixel.c:608:41
    #2 0x7fc638b18964 in sixel_decode_raw /src/libsixel/src/fromsixel.c:881:14
    #3 0x7fc638b7291e in load_sixel /src/libsixel/src/loader.c:613:14
    #4 0x7fc638b7291e in load_with_builtin /src/libsixel/src/loader.c:782
    #5 0x7fc638b7291e in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
    #6 0x7fc638c1c5bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
    #7 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
    #8 0x7fc63775982f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x418d38 in _start (/src/aflbuild/installed/bin/img2sixel+0x418d38)

0x629000009200 is located 0 bytes to the right of 16384-byte region [0x629000005200,0x629000009200)
allocated by thread T0 here:
    #0 0x4b8e68 in malloc (/src/aflbuild/installed/bin/img2sixel+0x4b8e68)
    #1 0x7fc638b1805b in image_buffer_resize /src/libsixel/src/fromsixel.c:292:35

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/img2sixel+0x4a2fb4) in __asan_memset
Shadow bytes around the buggy address:
  0x0c527fff91f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff9240:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11466==ABORTING

others

from fuzz project pwd-libsixel-img2sixel-03
crash name pwd-libsixel-img2sixel-03-00000032-20191120.pnm
Auto-generated by pyspider at 2019-11-20 19:32:45

please send email to  teamseri0us360@gmail.com if you have any questions.
carnil commented 4 years ago

CVE-2019-19635 was assigned for this issue.

saitoha commented 4 years ago

Merged your PR on v1.8.3. Thanks!