A memory leaks issue in image_buffer_resize at fromsixel.c:293

[gutiniao]

A crafted input will lead to crash in frompnm.c at libsixel 1.8.3.(git from the branch )

Triggered by: ./img2sixel 000-memleak-rpl_malloc

Poc: 000-memleak-rpl_malloc

The ASAN info:

# ./img2sixel 000-memleak-rpl_malloc 
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

=================================================================
==9353==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f99a109eb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x5583fae75543 in rpl_malloc /home/liuz/libsixel-2019/libsixel/converters/malloc_stub.c:45
    #2 0x7f99a0d76834 in sixel_allocator_malloc /home/liuz/libsixel-2019/libsixel/src/allocator.c:155
    #3 0x7f99a0d03b74 in image_buffer_resize /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:293
    #4 0x7f99a0d057ed in sixel_decode_raw_impl /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:590
    #5 0x7f99a0d08031 in sixel_decode_raw /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:925
    #6 0x7f99a0d57a16 in load_sixel /home/liuz/libsixel-2019/libsixel/src/loader.c:619
    #7 0x7f99a0d58c1a in load_with_builtin /home/liuz/libsixel-2019/libsixel/src/loader.c:788
    #8 0x7f99a0d5989f in sixel_helper_load_image_file /home/liuz/libsixel-2019/libsixel/src/loader.c:1368
    #9 0x7f99a0d691d6 in sixel_encoder_encode /home/liuz/libsixel-2019/libsixel/src/encoder.c:1737
    #10 0x5583fae7532e in main /home/liuz/libsixel-2019/libsixel/converters/img2sixel.c:457
    #11 0x7f99a08f7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).

about code:

image_buffer_resize(
    image_buffer_t     *image,
    int                 width,
    int                 height,
    int                 bgindex,
    sixel_allocator_t  *allocator)
{
    SIXELSTATUS status = SIXEL_FALSE;
    size_t size;
    unsigned char *alt_buffer;
    int n;
    int min_height;

    size = (size_t)(width * height);
->    alt_buffer = (unsigned char *)sixel_allocator_malloc(allocator, size);
    if (alt_buffer == NULL || size == 0) {
        /* free source image */
        sixel_allocator_free(allocator, image->data

[saitoha]

I can't reproduce it.

$ CC=gcc-7 CFLAGS="-O0 -g -fsanitize=address,leak -fno-omit-frame-pointer" LDFLAGS="-lasan " LDADD="-static-libasan " ./configure --without-png --without-jpeg && make install 
$ git show -s
commit 0cbee9f1aea69f054e8e269395cdbddc753fd0ad (HEAD -> release-1.8, origin/release-1.8)
Author: Hayaki Saito <saitoha@me.com>
Date:   Wed Dec 18 07:57:25 2019 +0900

    Update README
$ img2sixel -V | head -n9
img2sixel 1.8.3

configured with:
  libcurl: yes
  libpng: no
  libjpeg: no
  gdk-pixbuf2: no
  GD: no
$ img2sixel 'https://github.com/gutiniao/afltest/blob/master/000-memleak-rpl_malloc?raw=true'
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

Can you check your environment?

[gutiniao]

I can't reproduce it.

$ CC=gcc-7 CFLAGS="-O0 -g -fsanitize=address,leak -fno-omit-frame-pointer" LDFLAGS="-lasan " LDADD="-static-libasan " ./configure --without-png --without-jpeg && make install 
$ git show -s
commit 0cbee9f1aea69f054e8e269395cdbddc753fd0ad (HEAD -> release-1.8, origin/release-1.8)
Author: Hayaki Saito <saitoha@me.com>
Date:   Wed Dec 18 07:57:25 2019 +0900

    Update README
$ img2sixel -V | head -n9
img2sixel 1.8.3

configured with:
  libcurl: yes
  libpng: no
  libjpeg: no
  gdk-pixbuf2: no
  GD: no
$ img2sixel 'https://github.com/gutiniao/afltest/blob/master/000-memleak-rpl_malloc?raw=true'
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

Can you check your environment?

Well, i find the issue still existed in the newest version(1.8.4) . my os an gcc version:

root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin# gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin# cat /etc/issue
Ubuntu 18.04.3 LTS \n \l

root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin#

configure: CC="gcc" CXX="g++" CFLAGS="-ggdb -fsanitize=address" CXXFLAGS="-ggdb -fsanitize=address"

run:

runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

=================================================================
==6016==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 6336 byte(s) in 1 object(s) allocated from:
    #0 0x7f84b5cbdb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55f930907543 in rpl_malloc /home/liuz/libsixel-2019/1.8.4/libsixel-asan/converters/malloc_stub.c:45
    #2 0x7f84b5995a41 in sixel_allocator_malloc /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/allocator.c:155
    #3 0x7f84b5922d9e in image_buffer_resize /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:357
    #4 0x7f84b5924961 in sixel_decode_raw_impl /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:659
    #5 0x7f84b59271b6 in sixel_decode_raw /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:994
    #6 0x7f84b5976c23 in load_sixel /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:643
    #7 0x7f84b5977e27 in load_with_builtin /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:812
    #8 0x7f84b5978aac in sixel_helper_load_image_file /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:1392
    #9 0x7f84b59883e3 in sixel_encoder_encode /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/encoder.c:1737
    #10 0x55f93090732e in main /home/liuz/libsixel-2019/1.8.4/libsixel-asan/converters/img2sixel.c:457
    #11 0x7f84b5516b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 6336 byte(s) leaked in 1 allocation(s)

valgrind:

# valgrind --leak-check=full ./img2sixel 000-memleak-rpl_malloc 
==21593== Memcheck, a memory error detector
==21593== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21593== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==21593== Command: ./img2sixel 000-memleak-rpl_malloc
==21593== 
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.
==21593== 
==21593== HEAP SUMMARY:
==21593==     in use at exit: 32 bytes in 1 blocks
==21593==   total heap usage: 11 allocs, 10 frees, 37,801 bytes allocated
==21593== 
==21593== 32 bytes in 1 blocks are definitely lost in loss record 1 of 1
==21593==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21593==    by 0x4E625C4: image_buffer_resize (fromsixel.c:357)
==21593==    by 0x4E65395: sixel_decode_raw_impl (fromsixel.c:659)
==21593==    by 0x4E679D7: sixel_decode_raw (fromsixel.c:994)
==21593==    by 0x4F3B909: load_sixel (loader.c:643)
==21593==    by 0x4F3B909: load_with_builtin (loader.c:812)
==21593==    by 0x4F459AA: sixel_helper_load_image_file (loader.c:1392)
==21593==    by 0x4F5FEBB: sixel_encoder_encode (encoder.c:1737)
==21593==    by 0x109AF5: main (img2sixel.c:457)
==21593== 
==21593== LEAK SUMMARY:
==21593==    definitely lost: 32 bytes in 1 blocks
==21593==    indirectly lost: 0 bytes in 0 blocks
==21593==      possibly lost: 0 bytes in 0 blocks
==21593==    still reachable: 0 bytes in 0 blocks
==21593==         suppressed: 0 bytes in 0 blocks
==21593== 
==21593== For counts of detected and suppressed errors, rerun with: -v
==21593== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

[saitoha]

b9a4175 also fixes #119 and #117.

[carnil]

This issue has been assigned CVE-2019-20023

[saitoha]

Fixed on v1.8.5. Thanks!