You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I find a heap-buffer-overflow (SEGV) when fuzzing img2sixel
version
$ ./builddir/converters/img2sixel --version
img2sixel 1.10.3
configured with:
libcurl: no
libpng: no
libjpeg: yes
gdk-pixbuf2: no
GD: no
Copyright (C) 2014-2018 Hayaki Saito <saitoha@me.com>.
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
$ git log --oneline -1
490ec15 (HEAD -> master, origin/master, origin/HEAD) Fix double free in src/encoder.c when parsing bgcolor
normal run
$ ./libsixel/builddir/converters/img2sixel -O poc.png
fish: Job 1, './libsixel/builddir/converters/…' terminated by signal SIGSEGV (Address boundary error)
asan report
$ ./libsixel/build-asan/converters/img2sixel -O poc.png
=================================================================
==3717962==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffb3d4f5dc0 at pc 0x7ffb41e51f36 bp 0x7ffd05d6e110 sp 0x7ffd05d6e100
READ of size 1 at 0x7ffb3d4f5dc0 thread T0
#0 0x7ffb41e51f35 in sixel_encode_body_ormode ../src/tosixel.c:848
#1 0x7ffb41e51f35 in sixel_encode_dither ../src/tosixel.c:943
#2 0x7ffb41e51f35 in sixel_encode ../src/tosixel.c:1659
#3 0x7ffb41dd98de in sixel_encoder_output_without_macro ../src/encoder.c:790
#4 0x7ffb41ddad44 in sixel_encoder_encode_frame ../src/encoder.c:1008
#5 0x7ffb41e328d6 in load_with_builtin ../src/loader.c:924
#6 0x7ffb41e39530 in sixel_helper_load_image_file ../src/loader.c:1379
#7 0x7ffb41ddff65 in sixel_encoder_encode ../src/encoder.c:1696
#8 0x55b0c4095f8f in main ../converters/img2sixel.c:439
#9 0x7ffb41bcb082 in __libc_start_main ../csu/libc-start.c:308
#10 0x55b0c409626d in _start (/home/a13579/fuzz_libsixel/libsixel/build-asan/converters/img2sixel+0x426d)
0x7ffb3d4f5dc0 is located 0 bytes to the right of 5400000-byte region [0x7ffb3cfcf800,0x7ffb3d4f5dc0)
allocated by thread T0 here:
#0 0x7ffb41fa6808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7ffb41dd97f3 in sixel_encoder_output_without_macro ../src/encoder.c:762
#2 0x7ffb41e57407 (/home/a13579/fuzz_libsixel/libsixel/build-asan/converters/../src/libsixel.so.1+0xbe407)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/tosixel.c:848 in sixel_encode_body_ormode
Shadow bytes around the buggy address:
0x0fffe7a96b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fffe7a96b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fffe7a96b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fffe7a96b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fffe7a96ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fffe7a96bb0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0fffe7a96bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fffe7a96bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fffe7a96be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fffe7a96bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fffe7a96c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3717962==ABORTING
The text was updated successfully, but these errors were encountered:
I find a heap-buffer-overflow (SEGV) when fuzzing img2sixel
version
normal run
asan report
The text was updated successfully, but these errors were encountered: