two bugs in img2sixel and sixel2png

[cool-tomato]

./sixel2png infinite_loop_poc1

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:../../src/fromsixel.c+561 ]────
    556	             default:
    557	                 if (*p >= '?' && *p <= '~') {  /* sixel characters */
    558	                     if (image->width < (context->pos_x + context->repeat_count) || image->height < (context->pos_y + 6)) {
    559	                         sx = image->width * 2;
    560	                         sy = image->height * 2;
		// context=0x00007fffffffd6a0  →  [...]  →  0x0000000000000003, sx=0x0, sy=-0x80000000
 →  561	                         while (sx < (context->pos_x + context->repeat_count) || sy < (context->pos_y + 6)) {
    562	                             sx *= 2;
    563	                             sy *= 2;
    564	                         }
    565	                         status = image_buffer_resize(image, sx, sy, context->bgindex, allocator);
    566	                         if (SIXEL_FAILED(status)) {
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "sixel2png", stopped, reason: SINGLE STEP
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff7b7ed89 → Name: sixel_decode_raw_impl(p=0x555555774630 "^\033\\", len=0x53, image=0x7fffffffd7e0, context=0x7fffffffd760, allocator=0x555555774300)
[#1] 0x7ffff7b7f8b3 → Name: sixel_decode_raw(p=0x5555557745e0 "\033Pq\"1;1;70;11#1;2;", '1' <repeats 13 times>, "9;19;19#0!70~-!7", '1' <repeats 25 times>, "\"1111110^\033\\", len=0x53, pixels=0x7fffffffdc58, pwidth=0x7fffffffdc3c, pheight=0x7fffffffdc40, palette=0x7fffffffdc60, ncolors=0x7fffffffdc44, allocator=0x555555774300)
[#2] 0x7ffff7bacc8c → Name: sixel_decoder_decode(decoder=0x555555774330)
[#3] 0x555555554ea6 → Name: main(argc=0x2, argv=0x7fffffffde68)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
561	                        while (sx < (context->pos_x + context->repeat_count) || sy < (context->pos_y + 6)) {
1: sx = 0x0
gef➤  p context->pos_x + context->repeat_count
$32 = 0x471c71c7

./img2sixel heap-buffer-overflow-poc2

Corrupt JPEG data: premature end of data segment
=================================================================
==100553==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc919e46f94 at pc 0x7fca3cf50228 bp 0x7fffe7f5e600 sp 0x7fffe7f5e5f8
READ of size 1 at 0x7fc919e46f94 thread T0
==100553==WARNING: failed to fork (errno 12)
==100553==WARNING: failed to fork (errno 12)
==100553==WARNING: failed to fork (errno 12)
==100553==WARNING: failed to fork (errno 12)
==100553==WARNING: failed to fork (errno 12)
==100553==WARNING: Failed to use and restart external symbolizer!
    #0 0x7fca3cf50227  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x70227)
    #1 0x7fca3cf4c758  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x6c758)
    #2 0x7fca3cf53ae5  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x73ae5)
    #3 0x7fca3cf36b25  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x56b25)
    #4 0x7fca3d028e26  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x148e26)
    #5 0x7fca3cf88581  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0xa8581)
    #6 0x7fca3d0264de  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x1464de)
    #7 0x50564a  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/bin/img2sixel+0x50564a)
    #8 0x7fca3bf2fb96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x41c139  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/bin/img2sixel+0x41c139)

0x7fc919e46f94 is located 0 bytes to the right of 433805204-byte region [0x7fc900091800,0x7fc919e46f94)
allocated by thread T0 here:
    #0 0x4cb710  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/bin/img2sixel+0x4cb710)
    #1 0x7fca3d028ba1  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x148ba1)
    #2 0x7fca3cf88581  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0xa8581)
    #3 0x7fca3d0264de  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x1464de)
    #4 0x50564a  (/home/fish/Desktop/dumb/image/libsixel/fast/fast/bin/img2sixel+0x50564a)
    #5 0x7fca3bf2fb96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fish/Desktop/dumb/image/libsixel/fast/fast/lib/libsixel.so.1+0x70227) 
Shadow bytes around the buggy address:
  0x0ff9a33c0da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9a33c0db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9a33c0dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9a33c0dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9a33c0de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9a33c0df0: 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9a33c0e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9a33c0e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9a33c0e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9a33c0e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9a33c0e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==100553==ABORTING


gef➤  bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:249
#1  0x00007ffff7ba4bae in load_jpeg (result=0x555555777428, data=0x7ffff7fd4010 "\377\330\377", <incomplete sequence \340>, datasize=0x1263b, pwidth=0x555555777438, pheight=0x55555577743c, ppixelformat=0x555555777444, allocator=0x555555777300) at ../../src/loader.c:198
#2  0x00007ffff7ba62d7 in load_with_builtin (pchunk=0x5555557773f0, fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7bac395 <load_image_callback>, context=0x555555777330) at ../../src/loader.c:820
#3  0x00007ffff7ba67d1 in sixel_helper_load_image_file (filename=0x7fffffffe247 "/home/fish/testcase/images/jpg/random.jpg", fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7bac395 <load_image_callback>, finsecure=0x0, cancel_flag=0x555555759014 <signaled>, context=0x555555777330, allocator=0x555555777300) at ../../src/loader.c:1352
#4  0x00007ffff7bac50e in sixel_encoder_encode (encoder=0x555555777330, filename=0x7fffffffe247 "/home/fish/testcase/images/jpg/random.jpg") at ../../src/encoder.c:1737
#5  0x0000555555555545 in main (argc=0x2, argv=0x7fffffffde78) at ../../converters/img2sixel.c:457

[fgeek]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3573
In libsixel v1.8.2, there is an infinite loop in the function sixel_decode_raw_impl() in the file fromsixel.c, as demonstrated by sixel2png.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3574
In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstrated by img2sixel.

[fgeek]

I believe you made a mistake with the heap-based buffer overflow case.

$ ./bin/img2sixel heap-buffer-overflow-poc2
stb_image error
too large

But with sixel2png I get a crash when build with ASan:

./bin/sixel2png -o test heap-buffer-overflow-poc2
=================================================================
==10233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a48d at pc 0x7fba588c753c bp 0x7ffd7fd777b0 sp 0x7ffd7fd777a8
READ of size 1 at 0x60200000a48d thread T0
    #0 0x7fba588c753b in write_png_to_file /home/hsalo/src/libsixel/src/writer.c:140
    #1 0x7fba588c753b in sixel_helper_write_image_file /home/hsalo/src/libsixel/src/writer.c:322
    #2 0x7fba588c52bc in sixel_decoder_decode /home/hsalo/src/libsixel/src/decoder.c:318
    #3 0x563f2065a9c7 in main /home/hsalo/src/libsixel/converters/sixel2png.c:226
    #4 0x7fba57a4d2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x563f2065aff9 in _start (/home/hsalo/builds/libsixel/2df64373e58c4f48fbb72032a66473e71fc2a6ce/bin/sixel2png+0x1ff9)

0x60200000a48d is located 3 bytes to the left of 16-byte region [0x60200000a490,0x60200000a4a0)
freed by thread T0 here:
    #0 0x7fba58be1a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7fba52fb23ef  (/usr/lib/x86_64-linux-gnu/libtasn1.so.6+0xb3ef)

previously allocated by thread T0 here:
    #0 0x7fba58be1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7fba52fb1d08  (/usr/lib/x86_64-linux-gnu/libtasn1.so.6+0xad08)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/libsixel/src/writer.c:140 in write_png_to_file
Shadow bytes around the buggy address:
  0x0c047fff9440: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9450: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9460: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9480: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c047fff9490: fa[fa]fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff94a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff94b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff94c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff94d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff94e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10233==ABORTING

Also here is CVE-2019-3574.zip minimized reproducer.

[fgeek]

And CVE-2019-3574 looks like duplicate of #82, which was originally reported by shuitao gan to completely wrong place (Red Hat issue tracker and they don't even ship this software). Probably easier for @saitoha to fix single issue per time and then reproduce old cases as it seems that people don't actually care about the quality. They only want CVEs (or something else).

[fgeek]

I have requested MITRE to REJECT CVE-2019-3574.

[cool-tomato]

While in my case, I got the following result:

./debug/debug/bin/img2sixel heap-buffer-overflow-poc2 
Corrupt JPEG data: premature end of data segment
Segmentation fault (core dumped)


gef➤  bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:249
#1  0x00007ffff7ba4bae in load_jpeg (result=0x555555777428, data=0x7ffff7fd4010 "\377\330\377", <incomplete sequence \340>, datasize=0x1263b, pwidth=0x555555777438, pheight=0x55555577743c, ppixelformat=0x555555777444, allocator=0x555555777300) at ../../src/loader.c:198
#2  0x00007ffff7ba62d7 in load_with_builtin (pchunk=0x5555557773f0, fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7bac395 <load_image_callback>, context=0x555555777330) at ../../src/loader.c:820
#3  0x00007ffff7ba67d1 in sixel_helper_load_image_file (filename=0x7fffffffe1fe "/home/fish/Desktop/heap-buffer-overflow-poc2", fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7bac395 <load_image_callback>, finsecure=0x0, cancel_flag=0x555555759014 <signaled>, context=0x555555777330, allocator=0x555555777300) at ../../src/loader.c:1352
#4  0x00007ffff7bac50e in sixel_encoder_encode (encoder=0x555555777330, filename=0x7fffffffe1fe "/home/fish/Desktop/heap-buffer-overflow-poc2") at ../../src/encoder.c:1737
#5  0x0000555555555545 in main (argc=0x2, argv=0x7fffffffde18) at ../../converters/img2sixel.c:457

And, I think this is different from #82.
That problem is occurred in write_to_png, while this is decoding jpeg file.

[cool-tomato]

I believe you made a mistake with the heap-based buffer overflow case.

$ ./bin/img2sixel heap-buffer-overflow-poc2
stb_image error
too large

But with sixel2png I get a crash when build with ASan:

./bin/sixel2png -o test heap-buffer-overflow-poc2
=================================================================
==10233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a48d at pc 0x7fba588c753c bp 0x7ffd7fd777b0 sp 0x7ffd7fd777a8

The reason for that is，this need to be configured with libjpeg.

--with-jpeg whether to build with libjpeg (default: auto)

libsixel was configured as follows

   Loader component    : stb_image
   libcurl integration : yes
   pkg-config dir      : ${exec_prefix}/lib/pkgconfig
   Bash completion dir : ${datarootdir}/bash-completion/completions
   Zsh completion dir  : ${datarootdir}/zsh/site-functions
   python bindings     : yes: ${prefix}/lib/python2.7/site-packages
   gcov integration    : no
   debugging           : no
   tests               : no

[fgeek]

@cool-tomato Thank you for clarification and your efforts. Keep up the good work!