search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.46k stars 82 forks source link

heap-buffer-overflow in load_sixel at loader.c:629 #110

Closed SuhwanSong closed 4 years ago

SuhwanSong commented 4 years ago

version : img2sixel 1.8.2

There is a heap-buffer-overflow in load_sixel at loader.c:629 please run following cmd to reproduce it.

img2sixel --high-color $PoC

poc ASAN LOG

==36913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000054d at pc 0x7fb5cf29ac7d bp 0x7ffc97cfe350 sp 0x7ffc97cfe348
READ of size 1 at 0x60400000054d thread T0
    #0 0x7fb5cf29ac7c in load_sixel /home/tmp/libsixel/src/loader.c:629:36
    #1 0x7fb5cf29ac7c in load_with_builtin /home/tmp/libsixel/src/loader.c:782
    #2 0x7fb5cf29ac7c in sixel_helper_load_image_file /home/tmp/libsixel/src/loader.c:1352
    #3 0x7fb5cf4d8d4f in sixel_encoder_encode /home/tmp/libsixel/src/encoder.c:1737:14
    #4 0x51787f in main /home/tmp/libsixel/converters/img2sixel.c:457:22
    #5 0x7fb5cd83bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a379 in _start (/home/tmp/img2sixel+0x41a379)

Address 0x60400000054d is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tmp/libsixel/src/loader.c:629:36 in load_sixel
Shadow bytes around the buggy address:
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff80a0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36913==ABORTING
carnil commented 4 years ago

CVE-2019-19778 has been assigned for this issue.

saitoha commented 4 years ago

This problem is not reproduced on recent release v1.8.3 because #95(https://github.com/saitoha/libsixel/pull/95/commits/614e76133d5832255c6a7091d042354acf6f3aa6) fixed this issue. Thanks!