Closed hongxuchen closed 4 years ago
This problem seems to be caused when libsixel is compiled with -fsanitize=address
flag.
with -fsanitize=address
:
$ (CFLAGS="-O0 -g -fsanitize=address" ./configure && make) 2>&1 > /dev/null && converters/img2sixel https://github.com/ntu-sec/pocs/raw/master/libsixel-2df6437/crashes/read_stb_image.h:5669_1.psd 2>&1 | head
ar: `u' modifier ignored since `D' is the default (see `U')
==6630==ERROR: AddressSanitizer failed to allocate 0x78003000 (2013278208) bytes of LargeMmapAllocator (error code: 12)
==6630==Process memory map follows:
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x55be9fd65000-0x55be9fd6e000 /home/vagrant/libsixel/converters/.libs/img2sixel
0x55be9ff6d000-0x55be9ff6e000 /home/vagrant/libsixel/converters/.libs/img2sixel
0x55be9ff6e000-0x55be9ff6f000 /home/vagrant/libsixel/converters/.libs/img2sixel
0x600000000000-0x602000000000
0x602000000000-0x602000050000
without -fsanitize=address
:
$ (CFLAGS="-O0 -g" ./configure && make) 2>&1 > /dev/null && converters/img2sixel https://github.com/ntu-sec/pocs/raw/master/libsixel-2df6437/crashes/read_stb_image.h:5669_1.psd 2>&1 | head
ar: `u' modifier ignored since `D' is the default (see `U')
stb_image error
outofmem
0b1e0b3 avoids SEGV by limiting the allocation size to 128MB.
Fixed on v1.8.5. Thanks!
Our fuzzer detected several crashes when converting PSD file against 2df6437 (compiled with Address Sanitizer). The command to trigger that is
img2sixel $POC -o /tmp/test.six
where $POC is:https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/read_stb_image.h%3A5669_1.psd
gdb output: