search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.46k stars 82 forks source link

assertion failure in stbi__shiftsigned in stb_image.h #126

Closed sleicasper closed 4 years ago

sleicasper commented 4 years ago

stbi__shiftsigned has assertion which can be triggered by user supplied image file.

Screen Shot 2019-12-29 at 9 38 06 PM

poc: poc.zip

result:

#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff678c801 in __GI_abort () at abort.c:79
#2  0x00007ffff677c39a in __assert_fail_base (
    fmt=0x7ffff69037d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x5adc60 <.str.73> "v >= 0 && v < 256",
    file=file@entry=0x5ac2a0 <.str.2> "./stb_image.h", line=line@entry=0x13bc,
    function=function@entry=0x5adca0 <__PRETTY_FUNCTION__.stbi__shiftsigned> "int stbi__shiftsigned(int, int, int)") at assert.c:92
#3  0x00007ffff677c412 in __GI___assert_fail (assertion=0x5adc60 <.str.73> "v >= 0 && v < 256",
    file=0x5ac2a0 <.str.2> "./stb_image.h", line=0x13bc,
    function=0x5adca0 <__PRETTY_FUNCTION__.stbi__shiftsigned> "int stbi__shiftsigned(int, int, int)") at assert.c:101
#4  0x0000000000536b79 in stbi__shiftsigned (v=0xffffffa5, shift=0x18, bits=0xd)
    at ./stb_image.h:5052
#5  0x00000000005030b4 in stbi__bmp_load (s=0x7fffffffcc80, x=0x607000000038, y=0x60700000003c,
    comp=0x7fffffffcda0, req_comp=0x3, ri=0x7fffffffc940) at ./stb_image.h:5287
#6  0x00000000004ff7b3 in stbi__load_main (s=0x7fffffffcc80, x=0x607000000038, y=0x60700000003c,
    comp=0x7fffffffcda0, req_comp=0x3, ri=0x7fffffffc940, bpc=0x8) at ./stb_image.h:988
#7  0x00000000004fa325 in stbi__load_and_postprocess_8bit (s=0x7fffffffcc80, x=0x607000000038,
    y=0x60700000003c, comp=0x7fffffffcda0, req_comp=0x3) at ./stb_image.h:1092
#8  0x00000000004ff0b2 in load_with_builtin (pchunk=0x603000000010, fstatic=0x0, fuse_palette=0x1,
    reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x4d0b50 <load_image_callback>,
    context=0x610000000040) at loader.c:912
#9  0x00000000004fddc3 in sixel_helper_load_image_file (filename=0x7fffffffe5da "poc", fstatic=0x0,
    fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0,
    fn_load=0x4d0b50 <load_image_callback>, finsecure=0x0, cancel_flag=0x108e980 <signaled>,
    context=0x610000000040, allocator=0x604000000010) at loader.c:1392
#10 0x00000000004d0858 in sixel_encoder_encode (encoder=0x610000000040,
    filename=0x7fffffffe5da "poc") at encoder.c:1737
#11 0x00000000004c66c9 in main (argc=0x2, argv=0x7fffffffe308) at img2sixel.c:457
#12 0x00007ffff676db97 in __libc_start_main (main=0x4c3320 <main>, argc=0x2, argv=0x7fffffffe308,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8)
    at ../csu/libc-start.c:310
#13 0x000000000041bd3a in _start ()
carnil commented 4 years ago

According to the MITRE CVE feed, this issue has been assigned CVE-2019-20056, altough the issue seem to be in stb_image.h, and not specific to libsixel.

saitoha commented 4 years ago

Fixed on v1.8.5. Thanks!