New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-use-after-free in libsixel/src/dither.c:379 #27
Comments
|
w00t, good job once again! would you like to try and take this one? otherwise, i can probably knock it out this afternoon after some meetings. thanks for the good find! |
|
alright, i've got a fix for this. putting up a PR shortly. |
|
i don't get the same abort you do, but i definitely get plenty of valgrind output: |
|
all that valgrind output i dumped in above ought be investigated, too. but this issue is handled. thanks again, @a4865g ! |
|
really the root cause here was that we wanted a 0-entry table at all. i assume "poc" as you provided it is some kind of fuzzing output? it's definitely not a real image, right? so long as we kick it out at the 0-allocation point, i suppose that's fine. |
Yes! the "poc" is generated by Fuzz testing. |
yeah, once two PoCs came in without patches remedying the faults, that's what i figured =] your efforts are greatly appreciated! this bug made me finally run valgrind over it, and i fixed up everything encountered along the run, and cut that as 1.10.1. you asked last time if i would mind you filing a CVE. i once again answer that you ought do whatever you'd like. it's not my code, and i have no attachment to it. with that said, these particular bugs have been on error paths etc., in a library that's typically used as a single shot. i doubt that they're very easily exploited to do anything DOS-like, let alone RCE, especially in actual applications. i gather that you're a student--my advice is to enjoy reporting bugs, and being credited with that reporting, and learning practical techniques on real-world code. in my experience, trying to talk this kind of thing up into a CVE ends up embarrassing a decade down the road. The kind of university student that does what you're doing is going to have plenty of things to be proud of that didn't require dressing things up =]. just some unrequested advice. hack on! |
|
yeah, you said it very well. Thank you very much for some very good advice !! I will enjoy the process !!! |
|
be proud and enjoy; you're kicking ass =D |
Hi,I found a heap-use-after-free in the current master fb32912
It sames with the saitoha/libsixel/issue#157 (I just found the problem.)
OS: Ubuntu 20.04.3 LTS x86_64
Kernel: 5.11.0-27-generic
POC: poc.zip
It's the command line's report:
and here is the ASAN report for saitoha/libsixel (the current master [6a5be8b]):
The text was updated successfully, but these errors were encountered: