search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.51k stars 84 forks source link

FPE in sixel_encoder_do_resize, encoder.c:633 #166

Open waugustus opened 2 years ago

waugustus commented 2 years ago

Description

There is a floating point exception error in sixel_encoder_do_resize, encoder.c:633 in img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.

Version

img2sixel 1.8.6, commit id https://github.com/saitoha/libsixel/commit/6a5be8b72d84037b83a5ea838e17bcf372ab1d5f (Tue Jan 14 02:27:00 2020 +0900)

Reproduction

# img2sixel -w 128 poc /tmp/foo
ASAN:DEADLYSIGNAL
=================================================================
==1596536==ERROR: AddressSanitizer: FPE on unknown address 0x55718c759aa0 (pc 0x55718c759aa0 bp 0x7fff1eb09d20 sp 0x7fff1eb09cf0 T0)
    #0 0x55718c759a9f in sixel_encoder_do_resize /root/programs/libsixel/src/encoder.c:633
    #1 0x55718c75b5e5 in sixel_encoder_encode_frame /root/programs/libsixel/src/encoder.c:968
    #2 0x55718c760d75 in load_image_callback /root/programs/libsixel/src/encoder.c:1679
    #3 0x55718c7c883d in load_gif /root/programs/libsixel/src/fromgif.c:671
    #4 0x55718c7c0d74 in load_with_builtin /root/programs/libsixel/src/loader.c:908
    #5 0x55718c7c19cb in sixel_helper_load_image_file /root/programs/libsixel/src/loader.c:1418
    #6 0x55718c7612e7 in sixel_encoder_encode /root/programs/libsixel/src/encoder.c:1743
    #7 0x55718c7549ee in main /root/programs/libsixel/converters/img2sixel.c:457
    #8 0x7f382df64c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #9 0x55718c752109 in _start (/root/programs/libsixel/build_asan/bin/img2sixel+0x5e109)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /root/programs/libsixel/src/encoder.c:633 in sixel_encoder_do_resize
==1596536==ABORTING

poc.zip

Platform

# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
carnil commented 2 years ago

Can you report the issue to the new upstream at https://github.com/libsixel/libsixel ?

carnil commented 2 years ago

Maybe this project should as well be archived if it's not anymore the main upstream repository for libsixel.

waugustus commented 2 years ago

Can you report the issue to the new upstream at https://github.com/libsixel/libsixel ?

OK, and thank you for your suggestion.

waugustus commented 2 years ago

CVE-2022-29978 assigned.