# ./img2sixel 001-heap--
=================================================================
==9357==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd4800ff800 at pc 0x7fd483ed777a bp 0x7fff63150e20 sp 0x7fff631505c8
WRITE of size 512 at 0x7fd4800ff800 thread T0
#0 0x7fd483ed7779 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
#1 0x7fd483ba1d2e in image_buffer_resize /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:308
#2 0x7fd483ba37ed in sixel_decode_raw_impl /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:590
#3 0x7fd483ba6031 in sixel_decode_raw /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:925
#4 0x7fd483bf5a16 in load_sixel /home/liuz/libsixel-2019/libsixel/src/loader.c:619
#5 0x7fd483bf6c1a in load_with_builtin /home/liuz/libsixel-2019/libsixel/src/loader.c:788
#6 0x7fd483bf789f in sixel_helper_load_image_file /home/liuz/libsixel-2019/libsixel/src/loader.c:1368
#7 0x7fd483c071d6 in sixel_encoder_encode /home/liuz/libsixel-2019/libsixel/src/encoder.c:1737
#8 0x56105580d32e in main /home/liuz/libsixel-2019/libsixel/converters/img2sixel.c:457
#9 0x7fd483795b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#10 0x56105580ac79 in _start (/usr/local/libsixel-asan2/bin/img2sixel+0x1c79)
0x7fd4800ff800 is located 0 bytes to the right of 76414976-byte region [0x7fd47b81f800,0x7fd4800ff800)
allocated by thread T0 here:
#0 0x7fd483f3cb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x56105580d543 in rpl_malloc /home/liuz/libsixel-2019/libsixel/converters/malloc_stub.c:45
#2 0x7fd483c14834 in sixel_allocator_malloc /home/liuz/libsixel-2019/libsixel/src/allocator.c:155
#3 0x7fd483ba1b74 in image_buffer_resize /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:293
#4 0x7fd483ba37ed in sixel_decode_raw_impl /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:590
#5 0x7fd483ba6031 in sixel_decode_raw /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:925
#6 0x7fd483bf5a16 in load_sixel /home/liuz/libsixel-2019/libsixel/src/loader.c:619
#7 0x7fd483bf6c1a in load_with_builtin /home/liuz/libsixel-2019/libsixel/src/loader.c:788
#8 0x7fd483bf789f in sixel_helper_load_image_file /home/liuz/libsixel-2019/libsixel/src/loader.c:1368
#9 0x7fd483c071d6 in sixel_encoder_encode /home/liuz/libsixel-2019/libsixel/src/encoder.c:1737
#10 0x56105580d32e in main /home/liuz/libsixel-2019/libsixel/converters/img2sixel.c:457
#11 0x7fd483795b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
Shadow bytes around the buggy address:
0x0ffb10017eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb10017ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb10017ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb10017ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffb10017ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffb10017f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffb10017f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffb10017f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffb10017f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffb10017f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffb10017f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9357==ABORTING
about code:
min_height = height > image->height ? image->height: height;
if (width > image->width) { /* if width is extended */
for (n = 0; n < min_height; ++n) {
/* copy from source image */
-> memcpy(alt_buffer + width * n,
image->data + image->width * n,
(size_t)image->width);
/* fill extended area with background color */
A crafted input will lead to crash in frompnm.c at libsixel 1.8.3.(git from the branch)
Triggered by: ./img2sixel 001-heap--
Poc: 001-heap--
The ASAN info:
about code: