You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a heap-buffer-overflow error in img2sixel 1.8.6 in error_diffuse, quant.c:876, which is invoked by diffuse_jajuni, quant.c:972 (different from #156). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.
Version
$ img2sixel -V
img2sixel 1.8.6
configured with:
libcurl: yes
libpng: yes
libjpeg: yes
gdk-pixbuf2: no
GD: no
Reproduction
$ img2sixel -d jajuni -b vt340mono poc /tmp/foo
=================================================================
==135878==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000010ed at pc 0x55e064953e8e bp 0x7ffda7711e50 sp 0x7ffda7711e40
READ of size 1 at 0x6030000010ed thread T0
#0 0x55e064953e8d in error_diffuse /root/programs_latest/libsixel/src/quant.c:876
#1 0x55e0649541ff in diffuse_jajuni /root/programs_latest/libsixel/src/quant.c:972
#2 0x55e064956a85 in sixel_quant_apply_palette /root/programs_latest/libsixel/src/quant.c:1449
#3 0x55e064904e97 in sixel_dither_apply_palette /root/programs_latest/libsixel/src/dither.c:801
#4 0x55e0648faca9 in sixel_encode_dither /root/programs_latest/libsixel/src/tosixel.c:830
#5 0x55e064902b7f in sixel_encode /root/programs_latest/libsixel/src/tosixel.c:1551
#6 0x55e0648ee0e0 in sixel_encoder_output_without_macro /root/programs_latest/libsixel/src/encoder.c:825
#7 0x55e0648ef381 in sixel_encoder_encode_frame /root/programs_latest/libsixel/src/encoder.c:1056
#8 0x55e0648f3245 in load_image_callback /root/programs_latest/libsixel/src/encoder.c:1679
#9 0x55e064943c67 in load_with_builtin /root/programs_latest/libsixel/src/loader.c:963
#10 0x55e0649441aa in sixel_helper_load_image_file /root/programs_latest/libsixel/src/loader.c:1418
#11 0x55e0648f36a9 in sixel_encoder_encode /root/programs_latest/libsixel/src/encoder.c:1743
#12 0x55e0648e965b in main /root/programs_latest/libsixel/converters/img2sixel.c:457
#13 0x7f8f97ce2082 in __libc_start_main ../csu/libc-start.c:308
#14 0x55e0648e6fad in _start (/root/programs_latest/libsixel/build_asan/bin/img2sixel+0x39fad)
0x6030000010ed is located 3 bytes to the left of 18-byte region [0x6030000010f0,0x603000001102)
allocated by thread T0 here:
#0 0x7f8f9829c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55e0648e986e in rpl_malloc /root/programs_latest/libsixel/converters/malloc_stub.c:45
#2 0x55e0648f4524 in sixel_allocator_malloc /root/programs_latest/libsixel/src/allocator.c:162
#3 0x55e0648ede50 in sixel_encoder_output_without_macro /root/programs_latest/libsixel/src/encoder.c:789
#4 0x55e0648ef381 in sixel_encoder_encode_frame /root/programs_latest/libsixel/src/encoder.c:1056
#5 0x55e0648f3245 in load_image_callback /root/programs_latest/libsixel/src/encoder.c:1679
#6 0x55e064943c67 in load_with_builtin /root/programs_latest/libsixel/src/loader.c:963
#7 0x55e0649441aa in sixel_helper_load_image_file /root/programs_latest/libsixel/src/loader.c:1418
#8 0x55e0648f36a9 in sixel_encoder_encode /root/programs_latest/libsixel/src/encoder.c:1743
#9 0x55e0648e965b in main /root/programs_latest/libsixel/converters/img2sixel.c:457
#10 0x7f8f97ce2082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/programs_latest/libsixel/src/quant.c:876 in error_diffuse
Shadow bytes around the buggy address:
0x0c067fff81c0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff81d0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff81e0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff81f0: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x0c067fff8200: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
=>0x0c067fff8210: fa fa 00 00 00 00 fa fa 00 00 02 fa fa[fa]00 00
0x0c067fff8220: 02 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==135878==ABORTING
Description
There is a heap-buffer-overflow error in img2sixel 1.8.6 in error_diffuse, quant.c:876, which is invoked by diffuse_jajuni, quant.c:972 (different from #156). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.
Version
Reproduction
poc.zip
Platform
The text was updated successfully, but these errors were encountered: