Closed sleicasper closed 4 years ago
stbi__shiftsigned has assertion which can be triggered by user supplied image file.
poc: poc.zip
result:
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff678c801 in __GI_abort () at abort.c:79 #2 0x00007ffff677c39a in __assert_fail_base ( fmt=0x7ffff69037d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5adc60 <.str.73> "v >= 0 && v < 256", file=file@entry=0x5ac2a0 <.str.2> "./stb_image.h", line=line@entry=0x13bc, function=function@entry=0x5adca0 <__PRETTY_FUNCTION__.stbi__shiftsigned> "int stbi__shiftsigned(int, int, int)") at assert.c:92 #3 0x00007ffff677c412 in __GI___assert_fail (assertion=0x5adc60 <.str.73> "v >= 0 && v < 256", file=0x5ac2a0 <.str.2> "./stb_image.h", line=0x13bc, function=0x5adca0 <__PRETTY_FUNCTION__.stbi__shiftsigned> "int stbi__shiftsigned(int, int, int)") at assert.c:101 #4 0x0000000000536b79 in stbi__shiftsigned (v=0xffffffa5, shift=0x18, bits=0xd) at ./stb_image.h:5052 #5 0x00000000005030b4 in stbi__bmp_load (s=0x7fffffffcc80, x=0x607000000038, y=0x60700000003c, comp=0x7fffffffcda0, req_comp=0x3, ri=0x7fffffffc940) at ./stb_image.h:5287 #6 0x00000000004ff7b3 in stbi__load_main (s=0x7fffffffcc80, x=0x607000000038, y=0x60700000003c, comp=0x7fffffffcda0, req_comp=0x3, ri=0x7fffffffc940, bpc=0x8) at ./stb_image.h:988 #7 0x00000000004fa325 in stbi__load_and_postprocess_8bit (s=0x7fffffffcc80, x=0x607000000038, y=0x60700000003c, comp=0x7fffffffcda0, req_comp=0x3) at ./stb_image.h:1092 #8 0x00000000004ff0b2 in load_with_builtin (pchunk=0x603000000010, fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x4d0b50 <load_image_callback>, context=0x610000000040) at loader.c:912 #9 0x00000000004fddc3 in sixel_helper_load_image_file (filename=0x7fffffffe5da "poc", fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x4d0b50 <load_image_callback>, finsecure=0x0, cancel_flag=0x108e980 <signaled>, context=0x610000000040, allocator=0x604000000010) at loader.c:1392 #10 0x00000000004d0858 in sixel_encoder_encode (encoder=0x610000000040, filename=0x7fffffffe5da "poc") at encoder.c:1737 #11 0x00000000004c66c9 in main (argc=0x2, argv=0x7fffffffe308) at img2sixel.c:457 #12 0x00007ffff676db97 in __libc_start_main (main=0x4c3320 <main>, argc=0x2, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8) at ../csu/libc-start.c:310 #13 0x000000000041bd3a in _start ()
According to the MITRE CVE feed, this issue has been assigned CVE-2019-20056, altough the issue seem to be in stb_image.h, and not specific to libsixel.
Fixed on v1.8.5. Thanks!
stbi__shiftsigned has assertion which can be triggered by user supplied image file.
poc: poc.zip
result: