New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unverified indexs into the array lead to out of bound access in fromgif.c:283 #136
Comments
|
CVE-2020-19668 was assigned for this issue. |
|
Hi @saitoha Thanks in advance! |
|
LZW Minimum Code Size determines the initial number of bits used for LZW codes in the image data, and 2**12+2 is more than 4096. So the 12-bits limitation is not for this, and the condition in the fromgif.c:328 is wrong. |
The type `unsigned short`, which is the type of the LZW code, is much larger than the max of an LZW code, causing a wild pointer. That causes an array overflow. Long term, this library should jettison this unnecessary GIF code, and use a better maintained library for it. In the meantime, however, the issue is simple enough to solve, so I've done so. Resolves CVE-2020-19668. Closes saitoha#136. Closes #7.
The type `unsigned short`, which is the type of the LZW code, is much larger than the max of an LZW code, causing a wild pointer. That causes an array overflow. Long term, this library should jettison this unnecessary GIF code, and use a better maintained library for it. In the meantime, however, the issue is simple enough to solve, so I've done so. Resolves CVE-2020-19668. Closes saitoha#136. Closes #7.
|
This issue has been patched in the fork. See libsixel#8, PR. This repository has an absent maintainer. It's unlikely the maintainer will ever return, therefore the fork effort is described in #154. Distributions, users, and all other stakeholders are encouraged to switch to the fork. |
run_cmd
img2sixel -8 array_overflowpoc
the asan log
analyse :
I use the gdb to debug the bug. I found in the fromgif.c:283 ,the
code = 0x7fffis larger than the structure of g which define as 4096. so the crash occur!source code is here:
bug position:
gdb log :
version:
complies command
./configure CC="gcc" CXX="g++" CFLAGS="-g -O0 -fsanitize=address"The text was updated successfully, but these errors were encountered: