saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.49k stars 83 forks source link

prevent to access heap overflow #95

Closed knok closed 4 years ago

knok commented 5 years ago

82

This problem caused by the following line: https://github.com/saitoha/libsixel/blob/master/src/writer.c#L160

        for (i = 0; i < width * height; ++i, ++src) {
            *dst++ = *(palette + *src * 3 + 0);
            *dst++ = *(palette + *src * 3 + 1);
            *dst++ = *(palette + *src * 3 + 2);
        }

https://bugzilla.redhat.com/show_bug.cgi?id=1649201 The above POC causes to store 255 value on src, so always allocation 2563 size of memory to *palette prevent heap overflow.