An issue was discovered in libsixel 1.8.2, There is an integer overflow in function sixel_decode_raw_impl at fromsixel.c:650
commandline
img2sixel @@ -o /dev/null
source
In a while loop, it do not check if integer overflow is in context->param = context->param * 10 + *p - '0';
switch (*p) {
case '\x1b':
context->state = PS_ESC;
p++;
break;
case '0':
case '1':
case '2':
case '3':
case '4':
case '5':
case '6':
case '7':
case '8':
case '9':
context->param = context->param * 10 + *p - '0';
p++;
break;
case ';':
if (context->nparams < DECSIXEL_PARAMS_MAX) {
context->params[context->nparams++] = context->param;
}
context->param = 0;
p++;
break;
default:
libsixel
version
description
download link
others
sixel_decode_raw_impl@fromsixel.c:650_integer_overflow
description
commandline
source
In a while loop, it do not check if integer overflow is in
context->param = context->param * 10 + *p - '0';