search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.46k stars 82 forks source link

heap-buffer-overflow in image_buffer_resize at fromsixel.c:391 #118

Closed SuhwanSong closed 4 years ago

SuhwanSong commented 4 years ago

img2sixel 1.8.3 (git commit 41f6be4540b5fbb7d171fdcc21ac2fc2300b13b4)

There is a heap-buffer-overflow in image_buffer_resize at fromsixel.c:391 please run following cmd to reproduce it.

img2sixel --high-color $PoC

poc ASAN LOG

==16689==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8b2a0fc000 at pc 0x0000004d947c bp 0x7fff65fd9340 sp 0x7fff65fd8af0
WRITE of size 1275068416 at 0x7f8b2a0fc000 thread T0
    #0 0x4d947b in __asan_memset (/home/tmp/img2sixel+0x4d947b)
    #1 0x7f8e7448fd93 in image_buffer_resize /home/tmp/libsixel/src/fromsixel.c:391:9
    #2 0x7f8e74478b29 in sixel_decode_raw_impl /home/tmp/libsixel/src/fromsixel.c:643:34
    #3 0x7f8e74490edb in sixel_decode_raw /home/tmp/libsixel/src/fromsixel.c:976:14
    #4 0x7f8e7459baa2 in load_sixel /home/tmp/libsixel/src/loader.c:643:14
    #5 0x7f8e7459baa2 in load_with_builtin /home/tmp/libsixel/src/loader.c:812
    #6 0x7f8e7459baa2 in sixel_helper_load_image_file /home/tmp/libsixel/src/loader.c:1392
    #7 0x7f8e747dd16f in sixel_encoder_encode /home/tmp/libsixel/src/encoder.c:1737:14
    #8 0x51787f in main /home/tmp/libsixel/converters/img2sixel.c:457:22
    #9 0x7f8e72b43b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41a379 in _start (/home/tmp/img2sixel+0x41a379)

0x7f8b2a0fc000 is located 6144 bytes to the left of 13153337344-byte region [0x7f8b2a0fd800,0x7f8e3a0fd800)
allocated by thread T0 here:
    #0 0x4da230 in __interceptor_malloc (/home/tmp/img2sixel+0x4da230)
    #1 0x7f8e7448ec68 in image_buffer_resize /home/tmp/libsixel/src/fromsixel.c:357:35

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/tmp/img2sixel+0x4d947b) in __asan_memset
Shadow bytes around the buggy address:
  0x0ff1e54177b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1e54177c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1e54177d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1e54177e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1e54177f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff1e5417800:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff1e5417810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff1e5417820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff1e5417830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff1e5417840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff1e5417850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16689==ABORTING
saitoha commented 4 years ago

Fixed on v1.8.4, Thanks!