New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL pointer dereference in stb_image.h #51
Comments
|
ugh, does libsixel have an undeclared vendored version of stb? ugh! thanks for the report, looking into it now for a possible quick fix. |
|
yes, gross, why aren't we just using the system libstb-dev? |
|
Thanks a lot for the heads up, @eldstal . I've got a PR out which brings in 2.26, though I see from your original message that we actually need 2.27, so I'll get on that. |
|
This must be the fastest turnaround I've ever seen on an issue. Good work, I hope you have time to eat and drink! |
|
so this wasn't even supposed to be using STB, except for a bug where the compilie-time config wasn't being checked correctly. it now ought use libpng when present, and i'm thinking we ought yank out this vendored library. |
Upstream is staunchly opposed to providing git tags, a build system, a binary library, a pkg-config file, or any combination of the above. In the event you happen to be building for a Debian system, and nothing but a debian system, Debian provides a system package of libstb, with a number of "helpful" patches applied, such as (This Makefile then compiles and installs a Debian-specific libstb.so.0, stb.pc, etc.) |
|
good lord. i'd like to move ahead with #55, though at this point my hopes are really on dankamongmen/notcurses#2383. |
|
This vulnerability has been assigned CVE-2021-45340. Thanks again for fixing it so quickly, best of luck with future development! |
This is a duplicate report of issue 160 in the original project. I'm not sure where best to report this, but it affects both projects.
Vulnerable versions
Steps to reproduce
img2sixel stbio_1561_poc.binInput file (a malformed PICT-format image) is attached
Cause
Segmentation fault in
stbi__convert_formatatstb_image.h:1561:The
srcpointer isNULL, as passed in fromstbi__pic_load.The source of the NULL pointer is the malloc at line
6120:whose output is never checked for
NULL. The x and y dimensions (39168, 5888) are readdirectly from the input file, and they pass the check in
stbi__mad3sizes_validwhichonly checks for integer overflow.
The total size of the allocated buffer is
39168 * 5888 * 4and allocation fails.Impact
Denial of service is the only obvious impact.
Mitigation
stb_imagestarting at version 2.27 (commit 50072f66589f52f51eb5b3f56b9272ea8ec1fdac) include a check for this condition. libsixel should be brought up-to-date with this version if possible.If not, backport the check as well as similar error checks for other malloc calls.
The text was updated successfully, but these errors were encountered: