There is a heap-buffer-overflow error in img2sixel 1.8.6 in error_diffuse, quant.c:876, which is invoked by diffuse_jajuni, quant.c:972 (different from #156). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.
Version
$ img2sixel -V
img2sixel 1.8.6
configured with:
libcurl: yes
libpng: yes
libjpeg: yes
gdk-pixbuf2: no
GD: no
Reproduction
$ img2sixel -d jajuni -b vt340mono poc /tmp/foo
=================================================================
==135878==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000010ed at pc 0x55e064953e8e bp 0x7ffda7711e50 sp 0x7ffda7711e40
READ of size 1 at 0x6030000010ed thread T0
#0 0x55e064953e8d in error_diffuse /root/programs_latest/libsixel/src/quant.c:876
#1 0x55e0649541ff in diffuse_jajuni /root/programs_latest/libsixel/src/quant.c:972
#2 0x55e064956a85 in sixel_quant_apply_palette /root/programs_latest/libsixel/src/quant.c:1449
#3 0x55e064904e97 in sixel_dither_apply_palette /root/programs_latest/libsixel/src/dither.c:801
#4 0x55e0648faca9 in sixel_encode_dither /root/programs_latest/libsixel/src/tosixel.c:830
#5 0x55e064902b7f in sixel_encode /root/programs_latest/libsixel/src/tosixel.c:1551
#6 0x55e0648ee0e0 in sixel_encoder_output_without_macro /root/programs_latest/libsixel/src/encoder.c:825
#7 0x55e0648ef381 in sixel_encoder_encode_frame /root/programs_latest/libsixel/src/encoder.c:1056
#8 0x55e0648f3245 in load_image_callback /root/programs_latest/libsixel/src/encoder.c:1679
#9 0x55e064943c67 in load_with_builtin /root/programs_latest/libsixel/src/loader.c:963
#10 0x55e0649441aa in sixel_helper_load_image_file /root/programs_latest/libsixel/src/loader.c:1418
#11 0x55e0648f36a9 in sixel_encoder_encode /root/programs_latest/libsixel/src/encoder.c:1743
#12 0x55e0648e965b in main /root/programs_latest/libsixel/converters/img2sixel.c:457
#13 0x7f8f97ce2082 in __libc_start_main ../csu/libc-start.c:308
#14 0x55e0648e6fad in _start (/root/programs_latest/libsixel/build_asan/bin/img2sixel+0x39fad)
0x6030000010ed is located 3 bytes to the left of 18-byte region [0x6030000010f0,0x603000001102)
allocated by thread T0 here:
#0 0x7f8f9829c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55e0648e986e in rpl_malloc /root/programs_latest/libsixel/converters/malloc_stub.c:45
#2 0x55e0648f4524 in sixel_allocator_malloc /root/programs_latest/libsixel/src/allocator.c:162
#3 0x55e0648ede50 in sixel_encoder_output_without_macro /root/programs_latest/libsixel/src/encoder.c:789
#4 0x55e0648ef381 in sixel_encoder_encode_frame /root/programs_latest/libsixel/src/encoder.c:1056
#5 0x55e0648f3245 in load_image_callback /root/programs_latest/libsixel/src/encoder.c:1679
#6 0x55e064943c67 in load_with_builtin /root/programs_latest/libsixel/src/loader.c:963
#7 0x55e0649441aa in sixel_helper_load_image_file /root/programs_latest/libsixel/src/loader.c:1418
#8 0x55e0648f36a9 in sixel_encoder_encode /root/programs_latest/libsixel/src/encoder.c:1743
#9 0x55e0648e965b in main /root/programs_latest/libsixel/converters/img2sixel.c:457
#10 0x7f8f97ce2082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/programs_latest/libsixel/src/quant.c:876 in error_diffuse
Shadow bytes around the buggy address:
0x0c067fff81c0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff81d0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff81e0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff81f0: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x0c067fff8200: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
=>0x0c067fff8210: fa fa 00 00 00 00 fa fa 00 00 02 fa fa[fa]00 00
0x0c067fff8220: 02 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==135878==ABORTING
Description
There is a heap-buffer-overflow error in img2sixel 1.8.6 in error_diffuse, quant.c:876, which is invoked by diffuse_jajuni, quant.c:972 (different from #156). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.
Version
Reproduction
poc.zip
Platform