A heap-buffer-overflow in image_buffer_resize at fromsixel.c:308

[gutiniao]

A crafted input will lead to crash in frompnm.c at libsixel 1.8.3.(git from the branch)

Triggered by:
./img2sixel 001-heap--

Poc:
001-heap--

The ASAN info:

# ./img2sixel 001-heap-- 
=================================================================
==9357==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd4800ff800 at pc 0x7fd483ed777a bp 0x7fff63150e20 sp 0x7fff631505c8
WRITE of size 512 at 0x7fd4800ff800 thread T0
    #0 0x7fd483ed7779  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
    #1 0x7fd483ba1d2e in image_buffer_resize /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:308
    #2 0x7fd483ba37ed in sixel_decode_raw_impl /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:590
    #3 0x7fd483ba6031 in sixel_decode_raw /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:925
    #4 0x7fd483bf5a16 in load_sixel /home/liuz/libsixel-2019/libsixel/src/loader.c:619
    #5 0x7fd483bf6c1a in load_with_builtin /home/liuz/libsixel-2019/libsixel/src/loader.c:788
    #6 0x7fd483bf789f in sixel_helper_load_image_file /home/liuz/libsixel-2019/libsixel/src/loader.c:1368
    #7 0x7fd483c071d6 in sixel_encoder_encode /home/liuz/libsixel-2019/libsixel/src/encoder.c:1737
    #8 0x56105580d32e in main /home/liuz/libsixel-2019/libsixel/converters/img2sixel.c:457
    #9 0x7fd483795b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x56105580ac79 in _start (/usr/local/libsixel-asan2/bin/img2sixel+0x1c79)

0x7fd4800ff800 is located 0 bytes to the right of 76414976-byte region [0x7fd47b81f800,0x7fd4800ff800)
allocated by thread T0 here:
    #0 0x7fd483f3cb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x56105580d543 in rpl_malloc /home/liuz/libsixel-2019/libsixel/converters/malloc_stub.c:45
    #2 0x7fd483c14834 in sixel_allocator_malloc /home/liuz/libsixel-2019/libsixel/src/allocator.c:155
    #3 0x7fd483ba1b74 in image_buffer_resize /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:293
    #4 0x7fd483ba37ed in sixel_decode_raw_impl /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:590
    #5 0x7fd483ba6031 in sixel_decode_raw /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:925
    #6 0x7fd483bf5a16 in load_sixel /home/liuz/libsixel-2019/libsixel/src/loader.c:619
    #7 0x7fd483bf6c1a in load_with_builtin /home/liuz/libsixel-2019/libsixel/src/loader.c:788
    #8 0x7fd483bf789f in sixel_helper_load_image_file /home/liuz/libsixel-2019/libsixel/src/loader.c:1368
    #9 0x7fd483c071d6 in sixel_encoder_encode /home/liuz/libsixel-2019/libsixel/src/encoder.c:1737
    #10 0x56105580d32e in main /home/liuz/libsixel-2019/libsixel/converters/img2sixel.c:457
    #11 0x7fd483795b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779) 
Shadow bytes around the buggy address:
  0x0ffb10017eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffb10017ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffb10017ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffb10017ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffb10017ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffb10017f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffb10017f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffb10017f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffb10017f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffb10017f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffb10017f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9357==ABORTING

about code:

min_height = height > image->height ? image->height: height;
    if (width > image->width) {  /* if width is extended */
        for (n = 0; n < min_height; ++n) {
            /* copy from source image */
->            memcpy(alt_buffer + width * n,
                   image->data + image->width * n,
                   (size_t)image->width);
            /* fill extended area with background color */

[saitoha]

This problem is fixed in 6367d2f on fix-issue-118-prevent-integer-overflow branch, will be merged the mainline soon. Thank you.

[saitoha]

Released on v1.8.4.

[carnil]

CVE-2019-20024 has been assigned for this issue.