libsixel/img2sixel attempting free on address which was not malloc()
Description
A bug was discovered in libsixel v1.8.6 that attempted to free an address that was not malloc() allocated at libsixel/src/loader.c:633:5.It allows attackers to cause a denial of service (DOS) via converting a crafted PNG file into Sixel format.
root@38ad1e4b9d16:/afltest/libsixel# ./converters/img2sixel -w 128 -8 -I pocLibsixel -o test1.sixel
=================================================================
==3908320==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x607000000028 in thread T0
#0 0x495b5d in free (/afltest/libsixel/converters/img2sixel+0x495b5d)
#1 0x544c86 in load_png /afltest/libsixel/src/loader.c:633:5
#2 0x4fc4b9 in load_with_builtin /afltest/libsixel/src/loader.c:889:18
#3 0x4fc4b9 in sixel_helper_load_image_file /afltest/libsixel/src/loader.c:1418:18
#4 0x4cc586 in sixel_encoder_encode /afltest/libsixel/src/encoder.c:1743:14
#5 0x4c6e13 in main /afltest/libsixel/converters/img2sixel.c:457:22
#6 0x7ffff7b61082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41d69d in _start (/afltest/libsixel/converters/img2sixel+0x41d69d)
0x607000000028 is located 8 bytes inside of 72-byte region [0x607000000020,0x607000000068)
allocated by thread T0 here:
#0 0x495ddd in malloc (/afltest/libsixel/converters/img2sixel+0x495ddd)
#1 0x4e18a9 in sixel_frame_new /afltest/libsixel/src/frame.c:61:33
#2 0x4fc41a in load_with_builtin /afltest/libsixel/src/loader.c:885:18
#3 0x4fc41a in sixel_helper_load_image_file /afltest/libsixel/src/loader.c:1418:18
#4 0x4cc586 in sixel_encoder_encode /afltest/libsixel/src/encoder.c:1743:14
#5 0x4c6e13 in main /afltest/libsixel/converters/img2sixel.c:457:22
#6 0x7ffff7b61082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: bad-free (/afltest/libsixel/converters/img2sixel+0x495b5d) in free
==3908320==ABORTING
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
libsixel/img2sixel attempting free on address which was not malloc()
Description
A bug was discovered in libsixel v1.8.6 that attempted to free an address that was not malloc() allocated at libsixel/src/loader.c:633:5.It allows attackers to cause a denial of service (DOS) via converting a crafted PNG file into Sixel format.
PoC
pocLibsixel: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/pocLibsixel
Version
libsixel/img2sixel 1.8.6
Reference
https://github.com/saitoha/libsixel
Reproduction
Environment
Location
in load_png : libsixel/src/loader.c:633:5
Credit
Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
Song Jiaxuan