Closed gutiniao closed 4 years ago
I can't reproduce it.
$ CC=gcc-7 CFLAGS="-O0 -g -fsanitize=address,leak -fno-omit-frame-pointer" LDFLAGS="-lasan " LDADD="-static-libasan " ./configure --without-png --without-jpeg && make install
$ git show -s
commit 0cbee9f1aea69f054e8e269395cdbddc753fd0ad (HEAD -> release-1.8, origin/release-1.8)
Author: Hayaki Saito <saitoha@me.com>
Date: Wed Dec 18 07:57:25 2019 +0900
Update README
$ img2sixel -V | head -n9
img2sixel 1.8.3
configured with:
libcurl: yes
libpng: no
libjpeg: no
gdk-pixbuf2: no
GD: no
$ img2sixel 'https://github.com/gutiniao/afltest/blob/master/000-memleak-rpl_malloc?raw=true'
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.
Can you check your environment?
I can't reproduce it.
$ CC=gcc-7 CFLAGS="-O0 -g -fsanitize=address,leak -fno-omit-frame-pointer" LDFLAGS="-lasan " LDADD="-static-libasan " ./configure --without-png --without-jpeg && make install $ git show -s commit 0cbee9f1aea69f054e8e269395cdbddc753fd0ad (HEAD -> release-1.8, origin/release-1.8) Author: Hayaki Saito <saitoha@me.com> Date: Wed Dec 18 07:57:25 2019 +0900 Update README $ img2sixel -V | head -n9 img2sixel 1.8.3 configured with: libcurl: yes libpng: no libjpeg: no gdk-pixbuf2: no GD: no $ img2sixel 'https://github.com/gutiniao/afltest/blob/master/000-memleak-rpl_malloc?raw=true' runtime error: integer overflow safe_addition_for_params: ingeger overflow detected.
Can you check your environment?
Well, i find the issue still existed in the newest version(1.8.4) . my os an gcc version:
root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin# gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin# cat /etc/issue
Ubuntu 18.04.3 LTS \n \l
root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin#
configure:
CC="gcc" CXX="g++" CFLAGS="-ggdb -fsanitize=address" CXXFLAGS="-ggdb -fsanitize=address"
run:
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.
=================================================================
==6016==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 6336 byte(s) in 1 object(s) allocated from:
#0 0x7f84b5cbdb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x55f930907543 in rpl_malloc /home/liuz/libsixel-2019/1.8.4/libsixel-asan/converters/malloc_stub.c:45
#2 0x7f84b5995a41 in sixel_allocator_malloc /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/allocator.c:155
#3 0x7f84b5922d9e in image_buffer_resize /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:357
#4 0x7f84b5924961 in sixel_decode_raw_impl /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:659
#5 0x7f84b59271b6 in sixel_decode_raw /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:994
#6 0x7f84b5976c23 in load_sixel /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:643
#7 0x7f84b5977e27 in load_with_builtin /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:812
#8 0x7f84b5978aac in sixel_helper_load_image_file /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:1392
#9 0x7f84b59883e3 in sixel_encoder_encode /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/encoder.c:1737
#10 0x55f93090732e in main /home/liuz/libsixel-2019/1.8.4/libsixel-asan/converters/img2sixel.c:457
#11 0x7f84b5516b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: 6336 byte(s) leaked in 1 allocation(s)
valgrind:
# valgrind --leak-check=full ./img2sixel 000-memleak-rpl_malloc
==21593== Memcheck, a memory error detector
==21593== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21593== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==21593== Command: ./img2sixel 000-memleak-rpl_malloc
==21593==
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.
==21593==
==21593== HEAP SUMMARY:
==21593== in use at exit: 32 bytes in 1 blocks
==21593== total heap usage: 11 allocs, 10 frees, 37,801 bytes allocated
==21593==
==21593== 32 bytes in 1 blocks are definitely lost in loss record 1 of 1
==21593== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21593== by 0x4E625C4: image_buffer_resize (fromsixel.c:357)
==21593== by 0x4E65395: sixel_decode_raw_impl (fromsixel.c:659)
==21593== by 0x4E679D7: sixel_decode_raw (fromsixel.c:994)
==21593== by 0x4F3B909: load_sixel (loader.c:643)
==21593== by 0x4F3B909: load_with_builtin (loader.c:812)
==21593== by 0x4F459AA: sixel_helper_load_image_file (loader.c:1392)
==21593== by 0x4F5FEBB: sixel_encoder_encode (encoder.c:1737)
==21593== by 0x109AF5: main (img2sixel.c:457)
==21593==
==21593== LEAK SUMMARY:
==21593== definitely lost: 32 bytes in 1 blocks
==21593== indirectly lost: 0 bytes in 0 blocks
==21593== possibly lost: 0 bytes in 0 blocks
==21593== still reachable: 0 bytes in 0 blocks
==21593== suppressed: 0 bytes in 0 blocks
==21593==
==21593== For counts of detected and suppressed errors, rerun with: -v
==21593== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
b9a4175 also fixes #119 and #117.
This issue has been assigned CVE-2019-20023
Fixed on v1.8.5. Thanks!
A crafted input will lead to crash in frompnm.c at libsixel 1.8.3.(git from the branch )
Triggered by: ./img2sixel 000-memleak-rpl_malloc
Poc: 000-memleak-rpl_malloc
The ASAN info:
about code: