search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.46k stars 82 forks source link

segv due to large mem alloc in image_buffer_resize 292 #107

Closed cuanduo closed 4 years ago

cuanduo commented 4 years ago

./sixel2png $POC map16.zip

asan output

root@ubuntu:/home/tim/libsixel-asan/converters# ./sixel2png ../../libsixel/converters/crashes/map16.six-signalb-0x1
=================================================================
==2835==ERROR: AddressSanitizer: requested allocation size 0xffffffff92146000 (0xffffffff92147000 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x7f019133e448 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448)
    #1 0x55cf5a99ef7f in rpl_malloc /home/tim/libsixel-asan/converters/malloc_stub.c:45
    #2 0x55cf5a9a1de6 in sixel_allocator_malloc /home/tim/libsixel-asan/src/allocator.c:150
    #3 0x55cf5a9a2921 in image_buffer_resize /home/tim/libsixel-asan/src/fromsixel.c:292
    #4 0x55cf5a9a44c7 in sixel_decode_raw_impl /home/tim/libsixel-asan/src/fromsixel.c:565
    #5 0x55cf5a9a6d80 in sixel_decode_raw /home/tim/libsixel-asan/src/fromsixel.c:881
    #6 0x55cf5a99fdf6 in sixel_decoder_decode /home/tim/libsixel-asan/src/decoder.c:305
    #7 0x55cf5a99eda8 in main /home/tim/libsixel-asan/converters/sixel2png.c:226
    #8 0x7f0191036b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

==2835==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448) in malloc
==2835==ABORTING

gdb output

Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:262
262 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
gdb-peda$ bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:262
#1  0x0000000000403e0d in image_buffer_resize (image=0x7fffffffd9e0, width=0x92146, height=0x2a, bgindex=0xffffffff, allocator=0x30000001000) at fromsixel.c:318
#2  0x0000000000403cb5 in sixel_decode_raw_impl (p=<optimized out>, len=<optimized out>, image=<optimized out>, context=0x7fffffffd960, allocator=0x30000001000) at fromsixel.c:829
#3  0x0000000000403f94 in sixel_decode_raw (
    p=0x30000001890 "\033Pq\"1;1;598342#0;2;82;0;0#1;2;0;81;0#2;2;76;79;0#3;2;18;0;82#4;2;84;0;79#5;2;0;80;81#6;2;78;78;78#7;2;41;41;41#8;2;100;33;29#9;2;0;100;38#10;2;98;100;25#11;2;46;38;100#12;2;100;30;100#13;2;22;100;100#"..., len=0x3b5, 
    pixels=0x7fffffffde48, pwidth=0x7fffffffde58, pheight=0x7fffffffde54, palette=0x7fffffffde40, ncolors=0x7fffffffde5c, allocator=0x2a) at fromsixel.c:881
#4  0x0000000000401a43 in sixel_decoder_decode (decoder=0x30000001120) at decoder.c:305
#5  0x00000000004014f1 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe048) at sixel2png.c:226
#6  0x00007ffff7c49b6b in __libc_start_main (main=0x4012e0 <main>, argc=0x2, argv=0x7fffffffe048, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe038) at ../csu/libc-start.c:308
#7  0x000000000040121a in _start ()
gdb-peda$
saitoha commented 4 years ago

Fixed on v1.8.4, Thanks!