Closed Loginsoft-Research closed 4 years ago
Description : we Observerd an infinite recursive loop at function load_pnm( ) at file frompnm.c which can lead to a denial of service attack.
Command : ./img2sixel -78eIkiugv -w 4 -h 8 -q auto -l force -o out $POC POC : REPRODUCER
DEBUG :
Gdb: [ Legend: Modified register | Code | Heap | Stack | String ] ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── $rax : 0x00007fffffffd160 → 0x43434380f0314300 $rbx : 0x00007fffffffd2a0 → 0x00007fffffffd660 → 0x0000000000000000 $rcx : 0x00007fffffffd100 → 0x0000000000000000 $rdx : 0x0 $rsp : 0x00007fffffffcf50 → 0x000060400000dfd0 → 0xbebebebe00000003 $rbp : 0x00007fffffffd2c0 → 0x00007fffffffd690 → 0x00007fffffffd780 → 0x00007fffffffd7f0 → 0x00007fffffffddb0 → 0x0000000000401c00 → <__libc_csu_init+0> push r15 $rsi : 0x0 $rdi : 0x0 $rip : 0x00007ffff6c08ec1 → <load_pnm+2222> mov rax, QWORD PTR [rbp-0x2f0] $r8 : 0x3 $r9 : 0x184d0 $r10 : 0x2b1 $r11 : 0x00007ffff6ef6ab0 → <__asan_memset+0> push rbp $r12 : 0x00000ffffffff9fc → 0x0000000000000000 $r13 : 0x00007fffffffcfe0 → 0x0000000041b58ab3 $r14 : 0x00007fffffffcfe0 → 0x0000000041b58ab3 $r15 : 0x0 $eflags: [CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow resume virtualx86 identification] $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── 0x00007fffffffcf50│+0x0000: 0x000060400000dfd0 → 0xbebebebe00000003 ← $rsp 0x00007fffffffcf58│+0x0008: 0x000060700000dfd4 → 0x0000000000000003 0x00007fffffffcf60│+0x0010: 0x000060700000dfd0 → 0x00000003ffffffff → 0x0000000000000000 0x00007fffffffcf68│+0x0018: 0x0000000000000000 0x00007fffffffcf70│+0x0020: 0x000060700000dfcc → 0xffffffff00000000 0x00007fffffffcf78│+0x0028: 0x000060700000dfc8 → 0x0000000000000000 0x00007fffffffcf80│+0x0030: 0x000060700000dfb8 → 0x000060300000efb0 → 0xffff000000000000 0x00007fffffffcf88│+0x0038: 0x000060400000dfd0 → 0xbebebebe00000003 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── 0x7ffff6c08eac <load_pnm+2201> mov QWORD PTR [rbp-0x328], rax 0x7ffff6c08eb3 <load_pnm+2208> lea rax, [rbx-0x140] 0x7ffff6c08eba <load_pnm+2215> mov QWORD PTR [rbp-0x2f0], rax → 0x7ffff6c08ec1 <load_pnm+2222> mov rax, QWORD PTR [rbp-0x2f0] 0x7ffff6c08ec8 <load_pnm+2229> mov rdx, rax 0x7ffff6c08ecb <load_pnm+2232> shr rdx, 0x3 0x7ffff6c08ecf <load_pnm+2236> add rdx, 0x7fff8000 0x7ffff6c08ed6 <load_pnm+2243> movzx edx, BYTE PTR [rdx] 0x7ffff6c08ed9 <load_pnm+2246> test dl, dl ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:frompnm.c+229 ──── 224 for (y = 0 ; y < height ; y++) { 225 for (x = 0 ; x < width ; x++) { 226 b = (maps == 2 ? 3 : 1); 227 for (i = 0 ; i < b ; i++) { 228 if (ascii) { // s=0x00007fffffffcfd0 → [...] → 0x43434380f0314300 → 229 while (*s == '\0') { 230 if (p >= end) { 231 break; 232 } 233 p = pnm_get_line(p, end, tmp); 234 s = tmp; ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "img2sixel", stopped, reason: SIGINT ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x7ffff6c08ec1 → load_pnm(p=0x62d00000a427 "\027", '\276' <repeats 4056 times>, length=0x28, allocator=0x60400000dfd0, result=0x60700000dfb8, psx=0x60700000dfc8, psy=0x60700000dfcc, ppalette=0x0, pncolors=0x60700000dfd0, ppixelformat=0x60700000dfd4) [#1] 0x7ffff6c077b3 → load_with_builtin(pchunk=0x60300000efe0, fstatic=0x0, fuse_palette=0x0, reqcolors=0x100, bgcolor=0x0, loop_control=0x1, fn_load=0x7ffff6c16ad6 <load_image_callback>, context=0x610000007f40) [#2] 0x7ffff6c0836f → sixel_helper_load_image_file(filename=0x7fffffffe2b1 "hang10", fstatic=0x0, fuse_palette=0x0, reqcolors=0x100, bgcolor=0x0, loop_control=0x1, fn_load=0x7ffff6c16ad6 <load_image_callback>, finsecure=0x1, cancel_flag=0x606ac0 <signaled>, context=0x610000007f40, allocator=0x60400000dfd0) [#3] 0x7ffff6c16f5b → sixel_encoder_encode(encoder=0x610000007f40, filename=0x7fffffffe2b1 "hang10") [#4] 0x4019ce → main(argc=0xd, argv=0x7fffffffde98)
This issue has been assigned CVE-2019-11024.
Fixed on v1.8.4, Thanks!
Description : we Observerd an infinite recursive loop at function load_pnm( ) at file frompnm.c which can lead to a denial of service attack.
Command : ./img2sixel -78eIkiugv -w 4 -h 8 -q auto -l force -o out $POC POC : REPRODUCER
DEBUG :