NULL pointer dereference in stb_image.h

[eldstal]

Vulnerable versions

• saitoha/libsixel at the latest (6a5be8b) commit
• libsixel/libsixel at the latest (bc93c8c) commit

Steps to reproduce

img2sixel stbio_1561_poc.bin

Input file (a malformed PICT-format image) is attached.

Cause

Segmentation fault in stbi__convert_format at stb_image.h:1561:

   switch (STBI__COMBO(img_n, req_comp)) {
     /* ... */
     STBI__CASE(4,3) { dest[0]=src[0],dest[1]=src[1],dest[2]=src[2]; } break;
     /* ... */
   }

The src pointer is NULL, as passed in from stbi__pic_load.

The source of the NULL pointer is the malloc at line 6120:

   result = (stbi_uc *) stbi__malloc_mad4(x, y, 4, 0);

whose output is never checked for NULL. The x and y dimensions (39168, 5888) are read
directly from the input file, and they pass the check in stbi__mad3sizes_valid which
only checks for integer overflow.

The total size of the allocated buffer is 39168 * 5888 * 4 and allocation fails.

Impact

Denial of service is the only obvious impact.

Mitigation

stb_image starting at version 2.27 (50072f66589f52f51eb5b3f56b9272ea8ec1fdac) include a check for this condition. libsixel should be brought up-to-date with this version if possible.

If not, backport the check as well as similar error checks for other malloc calls.

[eldstal]

This same report was also submitted in the fork.

[eldstal]

Fixed by @dankamongmen in commit f283ece of the libsixel/libsixel fork.

[eldstal]

This vulnerability has been assigned CVE-2021-45340.