search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.46k stars 82 forks source link

An integer overflow in function sixel_decode_raw_impl at fromsixel.c:650 #105

Closed YourButterfly closed 4 years ago

YourButterfly commented 4 years ago

libsixel

version

libsixel 1.8.2

description

None

download link

None

others

please send email to  teamseri0us360@gmail.com if you have any questions.

sixel_decode_raw_impl@fromsixel.c:650_integer_overflow

description

An issue was discovered in libsixel 1.8.2, There is an integer overflow in function sixel_decode_raw_impl at fromsixel.c:650

commandline

img2sixel @@ -o /dev/null

source

In a while loop, it do not check if integer overflow is in context->param = context->param * 10 + *p - '0';

            switch (*p) {
            case '\x1b':
                context->state = PS_ESC;
                p++;
                break;
            case '0':
            case '1':
            case '2':
            case '3':
            case '4':
            case '5':
            case '6':
            case '7':
            case '8':
            case '9':
                context->param = context->param * 10 + *p - '0';
                p++;
                break;
            case ';':
                if (context->nparams < DECSIXEL_PARAMS_MAX) {
                    context->params[context->nparams++] = context->param;
                }
                context->param = 0;
                p++;
                break;
            default:
carnil commented 4 years ago

CVE-2019-19637 was assigned for this issue.

saitoha commented 4 years ago

Merged your PR on v1.8.3. Thanks!