Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASan global-buffer-overflow src/stb_image.h:1913 in stbi__extend_receive #72

Open
fgeek opened this Issue Jul 23, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@fgeek
Copy link

fgeek commented Jul 23, 2018

libsixel-global-buffer-overflow-stb_image.h-1913-stbi__extend_receive-002.png.zip (SHA1: 88464b3bce4bcb8d3be434470dd6500d756d93dd)
Tested commit: 2df6437
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Notes: Looks similar to #70

./bin/img2sixel -o test libsixel-global-buffer-overflow-stb_image.h-1913-stbi__extend_receive-002.png
================================================================
==17472==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe3abc83d60 at pc 0x7fe3abbeb7eb bp 0x7fffc1b991f0 sp 0x7fffc1b991e8
READ of size 4 at 0x7fe3abc83d60 thread T0
    #0 0x7fe3abbeb7ea in stbi__extend_receive /home/hsalo/src/libsixel/src/stb_image.h:1913
    #1 0x7fe3abbeb7ea in stbi__jpeg_decode_block_prog_dc /home/hsalo/src/libsixel/src/stb_image.h:2020
    #2 0x7fe3abbeb7ea in stbi__parse_entropy_coded_data /home/hsalo/src/libsixel/src/stb_image.h:2793
    #3 0x7fe3abc1ccfb in stbi__decode_jpeg_image /home/hsalo/src/libsixel/src/stb_image.h:3132
    #4 0x7fe3abc1ccfb in load_jpeg_image /home/hsalo/src/libsixel/src/stb_image.h:3584
    #5 0x7fe3abc1ccfb in stbi__jpeg_load /home/hsalo/src/libsixel/src/stb_image.h:3741
    #6 0x7fe3abc1ccfb in stbi__load_main /home/hsalo/src/libsixel/src/stb_image.h:980
    #7 0x7fe3abc34c84 in stbi__load_and_postprocess_8bit /home/hsalo/src/libsixel/src/stb_image.h:1090
    #8 0x7fe3abc38fbd in load_with_builtin /home/hsalo/src/libsixel/src/loader.c:882
    #9 0x7fe3abc46180 in sixel_helper_load_image_file /home/hsalo/src/libsixel/src/loader.c:1352
    #10 0x7fe3abc66433 in sixel_encoder_encode /home/hsalo/src/libsixel/src/encoder.c:1737
    #11 0x55b60d16eb2f in main /home/hsalo/src/libsixel/converters/img2sixel.c:457
    #12 0x7fe3aadf02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #13 0x55b60d16ede9 in _start (/home/hsalo/builds/libsixel/2df64373e58c4f48fbb72032a66473e71fc2a6ce/bin/img2sixel+0x2de9)

0x7fe3abc83d60 is located 32 bytes to the left of global variable 'stbi__bmask' defined in 'stb_image.h:1844:27' (0x7fe3abc83d80) of size 68
0x7fe3abc83d60 is located 0 bytes to the right of global variable 'stbi__jbias' defined in 'stb_image.h:1897:18' (0x7fe3abc83d20) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/libsixel/src/stb_image.h:1913 in stbi__extend_receive
Shadow bytes around the buggy address:
  0x0ffcf5788750: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffcf5788760: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ffcf5788770: 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9
  0x0ffcf5788780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
  0x0ffcf5788790: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 07 f9 f9
=>0x0ffcf57887a0: f9 f9 f9 f9 00 00 00 00 00 00 00 00[f9]f9 f9 f9
  0x0ffcf57887b0: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
  0x0ffcf57887c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcf57887d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcf57887e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcf57887f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17472==ABORTING

@saitoha saitoha self-assigned this Jul 26, 2018

saitoha added a commit that referenced this issue Aug 2, 2018

@saitoha saitoha added the bug label Aug 2, 2018

@fgeek

This comment has been minimized.

Copy link
Author

fgeek commented Jan 3, 2019

@saitoha Fix confirmed. Sorry it took some time from me. This got lost in the void. Can you merge that branch to master and close this issue report, thank you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.