A heap-buffer-overflow found in function load_pnm at frompnm.c:289-50, due to integer overflow #102
Description
libsixel
version
libsixel 1.8.2
description
Nonedownload link
None
others
please send email to [email protected] if you have any questions.
[email protected]:289-50___heap-buffer-overflow
description
An issue was discovered in libsixel 1.8.2, There is a/an heap-buffer-overflow in function load_pnm at frompnm.c:289-50
commandline
img2sixel @@ -o /dev/null
source
285 goto unknown;
286 }
287
288 *(*result + (y * width + x) * 3 + 0) = component[0];
> 289 *(*result + (y * width + x) * 3 + 1) = \*bug=>*\ component[1];
290 *(*result + (y * width + x) * 3 + 2) = component[2];
291 }
292 }
293
294 *psx = width;bug report
=================================================================
==14542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f21c at pc 0x7f8b8b6e9f1c bp 0x7ffc5d2e6fb0 sp 0x7ffc5d2e6fa8
WRITE of size 1 at 0x61d00001f21c thread T0
#0 0x7f8b8b6e9f1b in load_pnm /src/libsixel/src/frompnm.c:289:50
#1 0x7f8b8b64e415 in load_with_builtin /src/libsixel/src/loader.c:801:18
#2 0x7f8b8b64e415 in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
#3 0x7f8b8b6f95bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
#4 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
#5 0x7f8b8a23682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x418d38 in _start (/src/aflbuild/installed/bin/img2sixel+0x418d38)
0x61d00001f21c is located 0 bytes to the right of 1948-byte region [0x61d00001ea80,0x61d00001f21c)
allocated by thread T0 here:
#0 0x4b8e68 in malloc (/src/aflbuild/installed/bin/img2sixel+0x4b8e68)
#1 0x7f8b8b6e87b7 in load_pnm /src/libsixel/src/frompnm.c:211:32
#2 0x7f8b8b64e415 in load_with_builtin /src/libsixel/src/loader.c:801:18
#3 0x7f8b8b64e415 in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
#4 0x7f8b8b6f95bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
#5 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
#6 0x7f8b8a23682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libsixel/src/frompnm.c:289:50 in load_pnm
Shadow bytes around the buggy address:
0x0c3a7fffbdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbe40: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14542==ABORTING
others
from fuzz project pwd-libsixel-img2sixel-03
crash name pwd-libsixel-img2sixel-03-00000050-20191121.pnm
Auto-generated by pyspider at 2019-11-21 05:33:37
please send email to [email protected] if you have any questions.