New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow when loading an image in imlib_load_image_with_error_return() #709
Comments
What imlib2 version are you using? I fixed a buffer overrun in the TGA loader about 8 months ago. |
Can confirm that this happens on imlib2 v1.9.1 but doesn't happen on imlib2's master branch. |
Thanks for your quick response. |
I tested with the master branch of imlib2 and confirmed that all the vulnerabilities are fixed. (Plus) I failed to install feh with the master branch of imlib2 by downloading its codes on Ubuntu 20.04.5 LTS whereas succeeded on Ubuntu 22.04 LTS. |
Thanks for reporting this! Library handling is the distribution's business and outside of feh's scope, so I don't see anything I could fix here. |
Hi there
We want to share that the latest version (3.10) of feh causes heap-buffer-overflow when executed with a crafted input via argument -l.
We assume that the invalid memory access happens due to the improper processing malformed input in imlib_load_image_with_error_return() in spite of the error handling.
Here is the output of program with address sanitizer attached.
Bug Report
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1823579==ERROR: AddressSanitizer: SEGV on unknown address 0x62c000030e80 (pc 0x7f4b9ab30368 bp 0x0000000000e0 sp 0x7fffdec0b838 T0)
==1823579==The signal is caused by a READ memory access.
#0 0x7f4b9ab30367 (/usr/lib/x86_64-linux-gnu/imlib2/loaders/tga.so+0x1367)
#1 0x7f4b9ab31079 in load (/usr/lib/x86_64-linux-gnu/imlib2/loaders/tga.so+0x2079)
#2 0x7f4b9eaa8610 (/lib/x86_64-linux-gnu/libImlib2.so.1+0x23610)
#3 0x7f4b9eaa94f9 (/lib/x86_64-linux-gnu/libImlib2.so.1+0x244f9)
#4 0x7f4b9ea8e889 in imlib_load_image_with_error_return (/lib/x86_64-linux-gnu/libImlib2.so.1+0x9889)
#5 0x561318e7ac6b in feh_load_image /home/ubuntu/targets/feh-3.10_sanitizer/src/imlib.c:352
#6 0x561318e73c7b in feh_file_info_load /home/ubuntu/targets/feh-3.10_sanitizer/src/filelist.c:369
#7 0x561318e73e60 in feh_file_info_preload /home/ubuntu/targets/feh-3.10_sanitizer/src/filelist.c:316
#8 0x561318e74700 in feh_prepare_filelist /home/ubuntu/targets/feh-3.10_sanitizer/src/filelist.c:491
#9 0x561318ea03b0 in init_parse_options /home/ubuntu/targets/feh-3.10_sanitizer/src/options.c:109
#10 0x561318e6caf1 in main /home/ubuntu/targets/feh-3.10_sanitizer/src/main.c:57
#11 0x7f4b9e8b7082 in __libc_start_main ../csu/libc-start.c:308
#12 0x561318e6d06d in _start (/home/ubuntu/targets/feh-3.10_sanitizer/src/feh+0x1806d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/imlib2/loaders/tga.so+0x1367)
==1823579==ABORTING
Envionment
OS: Ubuntu 20.04.5 LTS / 22.04 LTS
Release: Feh 3.10
Library: imlib2 1.6.1 and imlib2 1.7.4
Program: feh
How to reproduce
$ feh poc-file -l
poc-file is attached.
poc-file.txt
The text was updated successfully, but these errors were encountered: