YourButterfly commented 4 years ago

libsixel

version

libsixel 1.8.2

description

None

download link

None

others

please send email to  teamseri0us360@gmail.com if you have any questions.

sixel_encode_body@tosixel.c:562-38___SEGV_UNKNOW

description

An issue was discovered in libsixel 1.8.2, There is an integer overflow in function sixel_encode_body at tosixel.c:562-38

commandline

img2sixel @@ -o /dev/null

source

 558         }
 559         for (x = 0; x < width; x++) {
 560             pix = pixels[y * width + x];  /* color index */
 561             if (pix >= 0 && pix < ncolors && pix != keycolor) {
> 562                 map[pix * width + x] |= (1 << i);
 563             }
 564             else if (!palstate) {
 565                 fillable = 0;
 566             }
 567         }

bug report

ASAN:DEADLYSIGNAL
=================================================================
==23526==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1651943dc8 (pc 0x7f17a65b9d04 bp 0x7ffecb75fbd0 sp 0x7ffecb75fa00 T0)
    #0 0x7f17a65b9d03 in sixel_encode_body /src/libsixel/src/tosixel.c:562:38
    #1 0x7f17a65b30ce in sixel_encode_dither /src/libsixel/src/tosixel.c:802:14
    #2 0x7f17a65b30ce in sixel_encode /src/libsixel/src/tosixel.c:1488
    #3 0x7f17a66b31ee in sixel_encoder_output_without_macro /src/libsixel/src/encoder.c:820:14
    #4 0x7f17a66b31ee in sixel_encoder_encode_frame /src/libsixel/src/encoder.c:1050
    #5 0x7f17a6608883 in load_with_builtin /src/libsixel/src/loader.c:913:14
    #6 0x7f17a6608883 in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
    #7 0x7f17a66b05bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
    #8 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
    #9 0x7f17a51ed82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x418d38 in _start (/src/aflbuild/installed/bin/img2sixel+0x418d38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libsixel/src/tosixel.c:562:38 in sixel_encode_body
==23526==ABORTING

others

from fuzz project pwd-libsixel-img2sixel-03
crash name pwd-libsixel-img2sixel-03-00000076-20191201.pnm
Auto-generated by pyspider at 2019-12-01 23:22:18

please send email to  teamseri0us360@gmail.com if you have any questions.

carnil commented 4 years ago

CVE-2019-19636 was assigned for this issue.

saitoha commented 4 years ago

Merged your PR on v1.8.3. Thanks!

saitoha / libsixel

An integer overflow in function sixel_encode_body at tosixel.c:562-38 #104

libsixel

version

description

download link

others

sixel_encode_body@tosixel.c:562-38___SEGV_UNKNOW

description

commandline

source

bug report

others