The src pointer is NULL, as passed in from stbi__pic_load.
The source of the NULL pointer is the malloc at line 6120:
result = (stbi_uc *) stbi__malloc_mad4(x, y, 4, 0);
whose output is never checked for NULL. The x and y dimensions (39168, 5888) are read
directly from the input file, and they pass the check in stbi__mad3sizes_valid which
only checks for integer overflow.
The total size of the allocated buffer is 39168 * 5888 * 4 and allocation fails.
Impact
Denial of service is the only obvious impact.
Mitigation
stb_image starting at version 2.27 (50072f66589f52f51eb5b3f56b9272ea8ec1fdac) include a check for this condition. libsixel should be brought up-to-date with this version if possible.
If not, backport the check as well as similar error checks for other malloc calls.
Vulnerable versions
Steps to reproduce
img2sixel stbio_1561_poc.bin
Input file (a malformed PICT-format image) is attached.
Cause
Segmentation fault in
stbi__convert_format
atstb_image.h:1561
:The
src
pointer isNULL
, as passed in fromstbi__pic_load
.The source of the NULL pointer is the malloc at line
6120
:whose output is never checked for
NULL
. The x and y dimensions (39168, 5888) are read directly from the input file, and they pass the check instbi__mad3sizes_valid
which only checks for integer overflow.The total size of the allocated buffer is
39168 * 5888 * 4
and allocation fails.Impact
Denial of service is the only obvious impact.
Mitigation
stb_image
starting at version 2.27 (50072f66589f52f51eb5b3f56b9272ea8ec1fdac) include a check for this condition. libsixel should be brought up-to-date with this version if possible.If not, backport the check as well as similar error checks for other malloc calls.