Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in load_sixel at loader.c:629 #110

Closed
SuhwanSong opened this issue Dec 12, 2019 · 2 comments
Closed

heap-buffer-overflow in load_sixel at loader.c:629 #110

SuhwanSong opened this issue Dec 12, 2019 · 2 comments

Comments

@SuhwanSong
Copy link

version : img2sixel 1.8.2

There is a heap-buffer-overflow in load_sixel at loader.c:629
please run following cmd to reproduce it.

img2sixel --high-color $PoC

poc
ASAN LOG

==36913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000054d at pc 0x7fb5cf29ac7d bp 0x7ffc97cfe350 sp 0x7ffc97cfe348
READ of size 1 at 0x60400000054d thread T0
    #0 0x7fb5cf29ac7c in load_sixel /home/tmp/libsixel/src/loader.c:629:36
    #1 0x7fb5cf29ac7c in load_with_builtin /home/tmp/libsixel/src/loader.c:782
    #2 0x7fb5cf29ac7c in sixel_helper_load_image_file /home/tmp/libsixel/src/loader.c:1352
    #3 0x7fb5cf4d8d4f in sixel_encoder_encode /home/tmp/libsixel/src/encoder.c:1737:14
    #4 0x51787f in main /home/tmp/libsixel/converters/img2sixel.c:457:22
    #5 0x7fb5cd83bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41a379 in _start (/home/tmp/img2sixel+0x41a379)

Address 0x60400000054d is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tmp/libsixel/src/loader.c:629:36 in load_sixel
Shadow bytes around the buggy address:
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff80a0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36913==ABORTING
@carnil
Copy link

carnil commented Dec 13, 2019

CVE-2019-19778 has been assigned for this issue.

@saitoha
Copy link
Owner

saitoha commented Dec 15, 2019

This problem is not reproduced on recent release v1.8.3 because #95(614e761) fixed this issue. Thanks!

@saitoha saitoha closed this as completed Dec 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @saitoha @SuhwanSong