search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.45k stars 82 forks source link

libsixel/img2sixel attempting free on address which was not malloc() #177

Open Frank-Z7 opened 10 months ago

Frank-Z7 commented 10 months ago

libsixel/img2sixel attempting free on address which was not malloc()

Description

A bug was discovered in libsixel v1.8.6 that attempted to free an address that was not malloc() allocated at libsixel/src/loader.c:633:5.It allows attackers to cause a denial of service (DOS) via converting a crafted PNG file into Sixel format.

PoC

pocLibsixel: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/pocLibsixel

Version

libsixel/img2sixel 1.8.6

img2sixel 1.8.6

configured with:
  libcurl: yes
  libpng: yes
  libjpeg: no
  gdk-pixbuf2: no
  GD: no

Copyright (C) 2014-2018 Hayaki Saito <saitoha@me.com>.

Reference

https://github.com/saitoha/libsixel

Reproduction

root@38ad1e4b9d16:/afltest/libsixel# ./converters/img2sixel -w 128 -8 -I pocLibsixel -o test1.sixel
=================================================================
==3908320==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x607000000028 in thread T0
    #0 0x495b5d in free (/afltest/libsixel/converters/img2sixel+0x495b5d)
    #1 0x544c86 in load_png /afltest/libsixel/src/loader.c:633:5
    #2 0x4fc4b9 in load_with_builtin /afltest/libsixel/src/loader.c:889:18
    #3 0x4fc4b9 in sixel_helper_load_image_file /afltest/libsixel/src/loader.c:1418:18
    #4 0x4cc586 in sixel_encoder_encode /afltest/libsixel/src/encoder.c:1743:14
    #5 0x4c6e13 in main /afltest/libsixel/converters/img2sixel.c:457:22
    #6 0x7ffff7b61082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41d69d in _start (/afltest/libsixel/converters/img2sixel+0x41d69d)

0x607000000028 is located 8 bytes inside of 72-byte region [0x607000000020,0x607000000068)
allocated by thread T0 here:
    #0 0x495ddd in malloc (/afltest/libsixel/converters/img2sixel+0x495ddd)
    #1 0x4e18a9 in sixel_frame_new /afltest/libsixel/src/frame.c:61:33
    #2 0x4fc41a in load_with_builtin /afltest/libsixel/src/loader.c:885:18
    #3 0x4fc41a in sixel_helper_load_image_file /afltest/libsixel/src/loader.c:1418:18
    #4 0x4cc586 in sixel_encoder_encode /afltest/libsixel/src/encoder.c:1743:14
    #5 0x4c6e13 in main /afltest/libsixel/converters/img2sixel.c:457:22
    #6 0x7ffff7b61082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: bad-free (/afltest/libsixel/converters/img2sixel+0x495b5d) in free
==3908320==ABORTING

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Location

in load_png : libsixel/src/loader.c:633:5

image-20231009022904864

Credit

Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))

Song Jiaxuan