Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free in libsixel/src/dither.c:379 #27

Closed
a4865g opened this issue Sep 14, 2021 · 9 comments · Fixed by #28
Closed

heap-use-after-free in libsixel/src/dither.c:379 #27

a4865g opened this issue Sep 14, 2021 · 9 comments · Fixed by #28
Assignees
Labels
bug Something isn't working

Comments

@a4865g
Copy link

a4865g commented Sep 14, 2021

Hi,I found a heap-use-after-free in the current master fb32912
It sames with the saitoha/libsixel/issue#157 (I just found the problem.)

OS: Ubuntu 20.04.3 LTS x86_64
Kernel: 5.11.0-27-generic

POC: poc.zip

It's the command line's report:

$ ./img2sixel -o ./a.sixel -8 -p 1 -C 10 -d fs -f auto -s auto -t auto -E auto /home/wulearn/Desktop/test_dir/poc 
unexpected error (SIXEL_FALSE)
unable to allocate 0 bytes for a 0-entry tuple table

and here is the ASAN report for saitoha/libsixel (the current master [6a5be8b]):

$ ./img2sixel -o ./a.sixel -8 -p 1 -C 10 -d fs -f auto -s auto -t auto -E ~/Downloads/poc
=================================================================
==3495149==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000000a0 at pc 0x7ffff74e92cd bp 0x7fffffff84d0 sp 0x7fffffff84c0
READ of size 4 at 0x6080000000a0 thread T0
    #0 0x7ffff74e92cc in sixel_dither_unref /home/wulearn/Desktop/libsixel/src/dither.c:388
    #1 0x7ffff7537374 in sixel_encoder_encode_frame /home/wulearn/Desktop/libsixel/src/encoder.c:1079
    #2 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/libsixel/src/encoder.c:1679
    #3 0x7ffff7531302 in load_gif /home/wulearn/Desktop/libsixel/src/fromgif.c:671
    #4 0x7ffff752abc9 in load_with_builtin /home/wulearn/Desktop/libsixel/src/loader.c:908
    #5 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/libsixel/src/loader.c:1418
    #6 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/libsixel/src/encoder.c:1743
    #7 0x555555558a3b in main /home/wulearn/Desktop/libsixel/converters/img2sixel.c:457
    #8 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x55555555638d in _start (/home/wulearn/Desktop/libsixel/converters/.libs/img2sixel+0x238d)

0x6080000000a0 is located 0 bytes inside of 94-byte region [0x6080000000a0,0x6080000000fe)
freed by thread T0 here:
    #0 0x7ffff76a27cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x7ffff7549523 in sixel_allocator_free /home/wulearn/Desktop/libsixel/src/allocator.c:230
    #2 0x7ffff74e9226 in sixel_dither_destroy /home/wulearn/Desktop/libsixel/src/dither.c:368
    #3 0x7ffff74e92f1 in sixel_dither_unref /home/wulearn/Desktop/libsixel/src/dither.c:389
    #4 0x7ffff75352bf in sixel_encoder_prepare_palette /home/wulearn/Desktop/libsixel/src/encoder.c:584
    #5 0x7ffff75369a4 in sixel_encoder_encode_frame /home/wulearn/Desktop/libsixel/src/encoder.c:981
    #6 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/libsixel/src/encoder.c:1679
    #7 0x7ffff7531302 in load_gif /home/wulearn/Desktop/libsixel/src/fromgif.c:671
    #8 0x7ffff752abc9 in load_with_builtin /home/wulearn/Desktop/libsixel/src/loader.c:908
    #9 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/libsixel/src/loader.c:1418
    #10 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/libsixel/src/encoder.c:1743
    #11 0x555555558a3b in main /home/wulearn/Desktop/libsixel/converters/img2sixel.c:457
    #12 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7ffff76a2bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x555555558c4e in rpl_malloc /home/wulearn/Desktop/libsixel/converters/malloc_stub.c:45
    #2 0x7ffff7549243 in sixel_allocator_malloc /home/wulearn/Desktop/libsixel/src/allocator.c:162
    #3 0x7ffff74e8a7a in sixel_dither_new /home/wulearn/Desktop/libsixel/src/dither.c:306
    #4 0x7ffff7535133 in sixel_encoder_prepare_palette /home/wulearn/Desktop/libsixel/src/encoder.c:570
    #5 0x7ffff75369a4 in sixel_encoder_encode_frame /home/wulearn/Desktop/libsixel/src/encoder.c:981
    #6 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/libsixel/src/encoder.c:1679
    #7 0x7ffff7531302 in load_gif /home/wulearn/Desktop/libsixel/src/fromgif.c:671
    #8 0x7ffff752abc9 in load_with_builtin /home/wulearn/Desktop/libsixel/src/loader.c:908
    #9 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/libsixel/src/loader.c:1418
    #10 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/libsixel/src/encoder.c:1743
    #11 0x555555558a3b in main /home/wulearn/Desktop/libsixel/converters/img2sixel.c:457
    #12 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free /home/wulearn/Desktop/libsixel/src/dither.c:388 in sixel_dither_unref
Shadow bytes around the buggy address:
  0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8010: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3495149==ABORTING
@dankamongmen
Copy link
Collaborator

w00t, good job once again!

would you like to try and take this one? otherwise, i can probably knock it out this afternoon after some meetings.

thanks for the good find!

@dankamongmen
Copy link
Collaborator

alright, i've got a fix for this. putting up a PR shortly.

@dankamongmen dankamongmen self-assigned this Sep 18, 2021
@dankamongmen dankamongmen added the bug Something isn't working label Sep 18, 2021
@dankamongmen
Copy link
Collaborator

i don't get the same abort you do, but i definitely get plenty of valgrind output:

==2927067== Use of uninitialised value of size 8
==2927067==    at 0x489A5B4: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Use of uninitialised value of size 8
==2927067==    at 0x489A5BF: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Use of uninitialised value of size 8
==2927067==    at 0x489A5CF: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Use of uninitialised value of size 8
==2927067==    at 0x489A641: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x489945E: splitBox.isra.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x489AC56: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x4899466: splitBox.isra.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x489AC56: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x4957627: msort_with_tmp.part.0 (msort.c:83)
==2927067==    by 0x49575B1: msort_with_tmp (msort.c:45)
==2927067==    by 0x49575B1: msort_with_tmp.part.0 (msort.c:54)
==2927067==    by 0x4957955: msort_with_tmp (msort.c:45)
==2927067==    by 0x4957955: qsort_r (msort.c:297)
==2927067==    by 0x4899578: splitBox.isra.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x489AC56: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x4957627: msort_with_tmp.part.0 (msort.c:83)
==2927067==    by 0x4957955: msort_with_tmp (msort.c:45)
==2927067==    by 0x4957955: qsort_r (msort.c:297)
==2927067==    by 0x4899578: splitBox.isra.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x489AC56: sixel_quant_make_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871AEE: sixel_dither_initialize (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872B8B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x489B25E: sixel_quant_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871CF0: sixel_dither_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AAD1B: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x489B64D: sixel_quant_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871CF0: sixel_dither_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AAD1B: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x4898CB0: lookup_fast (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x489B863: sixel_quant_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871CF0: sixel_dither_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AAD1B: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Use of uninitialised value of size 8
==2927067==    at 0x4898C4E: lookup_fast (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x489B863: sixel_quant_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871CF0: sixel_dither_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AAD1B: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Use of uninitialised value of size 8
==2927067==    at 0x4898CC9: lookup_fast (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x489B863: sixel_quant_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4871CF0: sixel_dither_apply_palette (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AAD1B: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x48A7311: output_rgb_palette_definition.part.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48A7B4B: sixel_encode_body (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AB282: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x48A7394: output_rgb_palette_definition.part.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48A7B4B: sixel_encode_body (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AB282: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Conditional jump or move depends on uninitialised value(s)
==2927067==    at 0x48A7411: output_rgb_palette_definition.part.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48A7B4B: sixel_encode_body (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AB282: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067== 
==2927067== Syscall param write(buf) points to uninitialised byte(s)
==2927067==    at 0x4A07963: write (write.c:26)
==2927067==    by 0x4871FD4: sixel_write_callback (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48A7077: sixel_encode_footer (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48AB295: sixel_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x48725F0: sixel_encoder_output_without_macro (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D6C: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)
==2927067==  Address 0x4c6d28f is 111 bytes inside a block of size 32,864 alloc'd
==2927067==    at 0x48397B5: malloc (vg_replace_malloc.c:380)
==2927067==    by 0x4897C95: sixel_output_new (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4872D2B: sixel_encoder_encode_frame.constprop.0 (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4895847: load_with_builtin (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4897C17: sixel_helper_load_image_file (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x4874771: sixel_encoder_encode (in /home/dank/src/dankamongmen/libsixel/build/src/libsixel.so)
==2927067==    by 0x109919: main (in /home/dank/src/dankamongmen/libsixel/build/converters/img2sixel)

@dankamongmen
Copy link
Collaborator

all that valgrind output i dumped in above ought be investigated, too. but this issue is handled. thanks again, @a4865g !

@dankamongmen
Copy link
Collaborator

really the root cause here was that we wanted a 0-entry table at all. i assume "poc" as you provided it is some kind of fuzzing output? it's definitely not a real image, right? so long as we kick it out at the 0-allocation point, i suppose that's fine.

@a4865g
Copy link
Author

a4865g commented Sep 18, 2021

really the root cause here was that we wanted a 0-entry table at all. i assume "poc" as you provided it is some kind of fuzzing output? it's definitely not a real image, right? so long as we kick it out at the 0-allocation point, i suppose that's fine.

Yes! the "poc" is generated by Fuzz testing.😊

@dankamongmen
Copy link
Collaborator

dankamongmen commented Sep 18, 2021

really the root cause here was that we wanted a 0-entry table at all. i assume "poc" as you provided it is some kind of fuzzing output? it's definitely not a real image, right? so long as we kick it out at the 0-allocation point, i suppose that's fine.

Yes! the "poc" is generated by Fuzz testing.

yeah, once two PoCs came in without patches remedying the faults, that's what i figured =] your efforts are greatly appreciated! this bug made me finally run valgrind over it, and i fixed up everything encountered along the run, and cut that as 1.10.1.

you asked last time if i would mind you filing a CVE. i once again answer that you ought do whatever you'd like. it's not my code, and i have no attachment to it. with that said, these particular bugs have been on error paths etc., in a library that's typically used as a single shot. i doubt that they're very easily exploited to do anything DOS-like, let alone RCE, especially in actual applications. i gather that you're a student--my advice is to enjoy reporting bugs, and being credited with that reporting, and learning practical techniques on real-world code. in my experience, trying to talk this kind of thing up into a CVE ends up embarrassing a decade down the road. The kind of university student that does what you're doing is going to have plenty of things to be proud of that didn't require dressing things up =].

just some unrequested advice. hack on!

@a4865g
Copy link
Author

a4865g commented Sep 18, 2021

yeah, you said it very well. Thank you very much for some very good advice !!

I will enjoy the process !!!

@dankamongmen
Copy link
Collaborator

be proud and enjoy; you're kicking ass =D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants