Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A memory leaks issue in image_buffer_resize at fromsixel.c:293 #120

Closed
gutiniao opened this issue Dec 18, 2019 · 5 comments
Closed

A memory leaks issue in image_buffer_resize at fromsixel.c:293 #120

gutiniao opened this issue Dec 18, 2019 · 5 comments

Comments

@gutiniao
Copy link

A crafted input will lead to crash in frompnm.c at libsixel 1.8.3.(git from the branch )

Triggered by:
./img2sixel 000-memleak-rpl_malloc

Poc:
000-memleak-rpl_malloc

The ASAN info:

# ./img2sixel 000-memleak-rpl_malloc 
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

=================================================================
==9353==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f99a109eb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x5583fae75543 in rpl_malloc /home/liuz/libsixel-2019/libsixel/converters/malloc_stub.c:45
    #2 0x7f99a0d76834 in sixel_allocator_malloc /home/liuz/libsixel-2019/libsixel/src/allocator.c:155
    #3 0x7f99a0d03b74 in image_buffer_resize /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:293
    #4 0x7f99a0d057ed in sixel_decode_raw_impl /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:590
    #5 0x7f99a0d08031 in sixel_decode_raw /home/liuz/libsixel-2019/libsixel/src/fromsixel.c:925
    #6 0x7f99a0d57a16 in load_sixel /home/liuz/libsixel-2019/libsixel/src/loader.c:619
    #7 0x7f99a0d58c1a in load_with_builtin /home/liuz/libsixel-2019/libsixel/src/loader.c:788
    #8 0x7f99a0d5989f in sixel_helper_load_image_file /home/liuz/libsixel-2019/libsixel/src/loader.c:1368
    #9 0x7f99a0d691d6 in sixel_encoder_encode /home/liuz/libsixel-2019/libsixel/src/encoder.c:1737
    #10 0x5583fae7532e in main /home/liuz/libsixel-2019/libsixel/converters/img2sixel.c:457
    #11 0x7f99a08f7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).

about code:

image_buffer_resize(
    image_buffer_t     *image,
    int                 width,
    int                 height,
    int                 bgindex,
    sixel_allocator_t  *allocator)
{
    SIXELSTATUS status = SIXEL_FALSE;
    size_t size;
    unsigned char *alt_buffer;
    int n;
    int min_height;

    size = (size_t)(width * height);
->    alt_buffer = (unsigned char *)sixel_allocator_malloc(allocator, size);
    if (alt_buffer == NULL || size == 0) {
        /* free source image */
        sixel_allocator_free(allocator, image->data
@saitoha
Copy link
Owner

saitoha commented Dec 18, 2019

I can't reproduce it.

$ CC=gcc-7 CFLAGS="-O0 -g -fsanitize=address,leak -fno-omit-frame-pointer" LDFLAGS="-lasan " LDADD="-static-libasan " ./configure --without-png --without-jpeg && make install 
$ git show -s
commit 0cbee9f1aea69f054e8e269395cdbddc753fd0ad (HEAD -> release-1.8, origin/release-1.8)
Author: Hayaki Saito <saitoha@me.com>
Date:   Wed Dec 18 07:57:25 2019 +0900

    Update README
$ img2sixel -V | head -n9
img2sixel 1.8.3

configured with:
  libcurl: yes
  libpng: no
  libjpeg: no
  gdk-pixbuf2: no
  GD: no
$ img2sixel 'https://github.com/gutiniao/afltest/blob/master/000-memleak-rpl_malloc?raw=true'
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

Can you check your environment?

@gutiniao
Copy link
Author

I can't reproduce it.

$ CC=gcc-7 CFLAGS="-O0 -g -fsanitize=address,leak -fno-omit-frame-pointer" LDFLAGS="-lasan " LDADD="-static-libasan " ./configure --without-png --without-jpeg && make install 
$ git show -s
commit 0cbee9f1aea69f054e8e269395cdbddc753fd0ad (HEAD -> release-1.8, origin/release-1.8)
Author: Hayaki Saito <saitoha@me.com>
Date:   Wed Dec 18 07:57:25 2019 +0900

    Update README
$ img2sixel -V | head -n9
img2sixel 1.8.3

configured with:
  libcurl: yes
  libpng: no
  libjpeg: no
  gdk-pixbuf2: no
  GD: no
$ img2sixel 'https://github.com/gutiniao/afltest/blob/master/000-memleak-rpl_malloc?raw=true'
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

Can you check your environment?

Well, i find the issue still existed in the newest version(1.8.4) .
my os an gcc version:

root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin# gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin# cat /etc/issue
Ubuntu 18.04.3 LTS \n \l

root@liuz-virtual-machine:/usr/local/libsixel-fuzz3/bin#

configure:
CC="gcc" CXX="g++" CFLAGS="-ggdb -fsanitize=address" CXXFLAGS="-ggdb -fsanitize=address"

run:

runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.

=================================================================
==6016==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 6336 byte(s) in 1 object(s) allocated from:
    #0 0x7f84b5cbdb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55f930907543 in rpl_malloc /home/liuz/libsixel-2019/1.8.4/libsixel-asan/converters/malloc_stub.c:45
    #2 0x7f84b5995a41 in sixel_allocator_malloc /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/allocator.c:155
    #3 0x7f84b5922d9e in image_buffer_resize /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:357
    #4 0x7f84b5924961 in sixel_decode_raw_impl /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:659
    #5 0x7f84b59271b6 in sixel_decode_raw /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/fromsixel.c:994
    #6 0x7f84b5976c23 in load_sixel /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:643
    #7 0x7f84b5977e27 in load_with_builtin /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:812
    #8 0x7f84b5978aac in sixel_helper_load_image_file /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/loader.c:1392
    #9 0x7f84b59883e3 in sixel_encoder_encode /home/liuz/libsixel-2019/1.8.4/libsixel-asan/src/encoder.c:1737
    #10 0x55f93090732e in main /home/liuz/libsixel-2019/1.8.4/libsixel-asan/converters/img2sixel.c:457
    #11 0x7f84b5516b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 6336 byte(s) leaked in 1 allocation(s)

valgrind:

# valgrind --leak-check=full ./img2sixel 000-memleak-rpl_malloc 
==21593== Memcheck, a memory error detector
==21593== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21593== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==21593== Command: ./img2sixel 000-memleak-rpl_malloc
==21593== 
runtime error: integer overflow
safe_addition_for_params: ingeger overflow detected.
==21593== 
==21593== HEAP SUMMARY:
==21593==     in use at exit: 32 bytes in 1 blocks
==21593==   total heap usage: 11 allocs, 10 frees, 37,801 bytes allocated
==21593== 
==21593== 32 bytes in 1 blocks are definitely lost in loss record 1 of 1
==21593==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21593==    by 0x4E625C4: image_buffer_resize (fromsixel.c:357)
==21593==    by 0x4E65395: sixel_decode_raw_impl (fromsixel.c:659)
==21593==    by 0x4E679D7: sixel_decode_raw (fromsixel.c:994)
==21593==    by 0x4F3B909: load_sixel (loader.c:643)
==21593==    by 0x4F3B909: load_with_builtin (loader.c:812)
==21593==    by 0x4F459AA: sixel_helper_load_image_file (loader.c:1392)
==21593==    by 0x4F5FEBB: sixel_encoder_encode (encoder.c:1737)
==21593==    by 0x109AF5: main (img2sixel.c:457)
==21593== 
==21593== LEAK SUMMARY:
==21593==    definitely lost: 32 bytes in 1 blocks
==21593==    indirectly lost: 0 bytes in 0 blocks
==21593==      possibly lost: 0 bytes in 0 blocks
==21593==    still reachable: 0 bytes in 0 blocks
==21593==         suppressed: 0 bytes in 0 blocks
==21593== 
==21593== For counts of detected and suppressed errors, rerun with: -v
==21593== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

@saitoha
Copy link
Owner

saitoha commented Dec 20, 2019

b9a4175 also fixes #119 and #117.

@carnil
Copy link

carnil commented Dec 27, 2019

This issue has been assigned CVE-2019-20023

@saitoha
Copy link
Owner

saitoha commented Jan 3, 2020

Fixed on v1.8.5. Thanks!

@saitoha saitoha closed this as completed Jan 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants