saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.49k stars 83 forks source link

ASan heap-buffer-overflow src/stb_image.h:3508 in stbi__YCbCr_to_RGB_simd #69

Closed fgeek closed 6 years ago

fgeek commented 6 years ago

libsixel-heap-buffer-overflow-stb_image.h-3508-stbi__YCbCr_to_RGB_simd.png.zip (SHA1: e652bdff6e901ca105bcc4363c2bd58ff868df0c) Tested commit: 5db717dfef6fa327cd4025e7352550f63d20699c Credit: Henri Salo

./bin/img2sixel -o test libsixel-heap-buffer-overflow-stb_image.h-3508-stbi__YCbCr_to_RGB_simd.png
==15521==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fca13dfec0f at pc 0x7fca1c185c58 bp 0x7fff752b84d0 sp 0x7fff752b84c8
READ of size 1 at 0x7fca13dfec0f thread T0
    #0 0x7fca1c185c57 in stbi__YCbCr_to_RGB_simd /home/hsalo/src/libsixel/src/stb_image.h:3508
    #1 0x7fca1c1d5829 in load_jpeg_image /home/hsalo/src/libsixel/src/stb_image.h:3660
    #2 0x7fca1c1d5829 in stbi__jpeg_load /home/hsalo/src/libsixel/src/stb_image.h:3741
    #3 0x7fca1c1d5829 in stbi__load_main /home/hsalo/src/libsixel/src/stb_image.h:980
    #4 0x7fca1c1f235c in stbi__load_and_postprocess_8bit /home/hsalo/src/libsixel/src/stb_image.h:1090
    #5 0x7fca1c1f6663 in load_with_builtin /home/hsalo/src/libsixel/src/loader.c:882
    #6 0x7fca1c2037f8 in sixel_helper_load_image_file /home/hsalo/src/libsixel/src/loader.c:1352
    #7 0x7fca1c2247de in sixel_encoder_encode /home/hsalo/src/libsixel/src/encoder.c:1734
    #8 0x5571dcea8bab in main /home/hsalo/src/libsixel/converters/img2sixel.c:457
    #9 0x7fca1b3ab2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #10 0x5571dcea8de9 in _start (/home/hsalo/builds/libsixel/5db717dfef6fa327cd4025e7352550f63d20699c/bin/img2sixel+0x2de9)

0x7fca13dfec0f is located 0 bytes to the right of 1971215-byte region [0x7fca13c1d800,0x7fca13dfec0f)
allocated by thread T0 here:
    #0 0x7fca1c542d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7fca1c1c14d0 in stbi__process_frame_header /home/hsalo/src/libsixel/src/stb_image.h:3066
    #2 0x7fca1c1c14d0 in stbi__decode_jpeg_header /home/hsalo/src/libsixel/src/stb_image.h:3114
    #3 0x7fff00000002  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/libsixel/src/stb_image.h:3508 in stbi__YCbCr_to_RGB_simd
Shadow bytes around the buggy address:
  0x0ff9c27b7d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9c27b7d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9c27b7d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9c27b7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9c27b7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9c27b7d80: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9c27b7d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9c27b7da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9c27b7db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9c27b7dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9c27b7dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15521==ABORTING
saitoha commented 6 years ago

@fgeek Thank you!