search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.45k stars 82 forks source link

NULL pointer dereference in stb_image.h #160

Closed eldstal closed 2 years ago

eldstal commented 2 years ago

Vulnerable versions

Steps to reproduce

img2sixel stbio_1561_poc.bin

Input file (a malformed PICT-format image) is attached.

Cause

Segmentation fault in stbi__convert_format at stb_image.h:1561:

   switch (STBI__COMBO(img_n, req_comp)) {
     /* ... */
     STBI__CASE(4,3) { dest[0]=src[0],dest[1]=src[1],dest[2]=src[2]; } break;
     /* ... */
   }

The src pointer is NULL, as passed in from stbi__pic_load.

The source of the NULL pointer is the malloc at line 6120:

   result = (stbi_uc *) stbi__malloc_mad4(x, y, 4, 0);

whose output is never checked for NULL. The x and y dimensions (39168, 5888) are read directly from the input file, and they pass the check in stbi__mad3sizes_valid which only checks for integer overflow.

The total size of the allocated buffer is 39168 * 5888 * 4 and allocation fails.

Impact

Denial of service is the only obvious impact.

Mitigation

stb_image starting at version 2.27 (50072f66589f52f51eb5b3f56b9272ea8ec1fdac) include a check for this condition. libsixel should be brought up-to-date with this version if possible.

If not, backport the check as well as similar error checks for other malloc calls.

eldstal commented 2 years ago

This same report was also submitted in the fork.

eldstal commented 2 years ago

Fixed by @dankamongmen in commit f283ece716e925c4a4a8f5b94b99534b0b11d9be of the libsixel/libsixel fork.

eldstal commented 2 years ago

This vulnerability has been assigned CVE-2021-45340.