LibSixel img2sixel Heap Buffer Overflow in Debug Palette Function

[err2zero]

Summary

During fuzzing of the libsixel library's img2sixel converter, a critical heap buffer overflow vulnerability was discovered in the sixel_debug_print_palette function. The vulnerability occurs when processing malformed image files, leading to out-of-bounds read access during palette debugging operations. This vulnerability affects the image-to-sixel conversion process and can be triggered by specially crafted input files.

Technical Details

• Vulnerability Type: Heap Buffer Overflow
• Affected Component: LibSixel - img2sixel converter
• Affected Function: sixel_debug_print_palette
• Source File: encoder.c
• Line Number: 735
• Signal: SIGABRT (6)
• Memory Access: READ of size 1
• Affected Memory Range: 136-byte heap region with out-of-bounds access

Mechanism and Root Cause

This heap buffer overflow vulnerability is caused by insufficient bounds checking in the sixel_debug_print_palette function when printing palette information during the sixel encoding process. The root cause lies in accessing palette data beyond the allocated buffer boundaries.

The vulnerability manifests through the following sequence:

1. Allocation Phase: A 136-byte region is allocated for palette data via sixel_dither_new() in dither.c:306
2. Processing Phase: During sixel_encoder_encode_frame(), palette information is prepared and processed
3. Debug Output Phase: sixel_debug_print_palette() attempts to access palette data at encoder.c:735
4. Buffer Overflow: The function reads 1 byte beyond the allocated 136-byte region boundary
5. Memory Corruption: This triggers AddressSanitizer detection of heap buffer overflow

The call chain demonstrates the vulnerability path:

main() → sixel_encoder_encode() → sixel_encoder_encode_frame() → sixel_debug_print_palette()

AddressSanitizer Report

palette:
0: #000033
1: #33cccc
2: #212133
3: #cc33cc
4: #33cc33
5: #cccccc
6: #cc3387
7: #878742
8: #424254
9: #549999
10: #424254
11: #995499
12: #549954
13: #999999
14: #9954cc
=================================================================
==3699142==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000000c8 at pc 0x5577dceb54e3 bp 0x7fffb39b3d70 sp 0x7fffb39b3d68
READ of size 1 at 0x60d0000000c8 thread T0
    #0 0x5577dceb54e2 in sixel_debug_print_palette /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:735:17
    #1 0x5577dceb54e2 in sixel_encoder_encode_frame /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:1001:13
    #2 0x5577dcef76cd in load_with_builtin /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:963:14
    #3 0x5577dcef76cd in sixel_helper_load_image_file /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:1418:18
    #4 0x5577dceb2638 in sixel_encoder_encode /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:1750:14
    #5 0x5577dceaa7de in main /workspace/program/libsixel-6dd664c-Aug2/converters/img2sixel.c:457:22
    #6 0x7f97371c5d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f97371c5e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x5577dcdd4724 in _start (/workspace/fuzzdir/fz-libsixel/fz-img2sixel/img2sixel+0x55724) (BuildId: 7403ef4a85b632d178024a09cfb9c1858eef4521)

0x60d0000000c8 is located 0 bytes after 136-byte region [0x60d000000040,0x60d0000000c8)
allocated by thread T0 here:
    #0 0x5577dce6e54e in malloc (/workspace/fuzzdir/fz-libsixel/fz-img2sixel/img2sixel+0xef54e) (BuildId: 7403ef4a85b632d178024a09cfb9c1858eef4521)
    #1 0x5577dcec9e6b in sixel_dither_new /workspace/program/libsixel-6dd664c-Aug2/src/dither.c:306:35
    #2 0x5577dceb3f08 in sixel_encoder_prepare_palette /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:531:18
    #3 0x5577dceb3f08 in sixel_encoder_encode_frame /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:988:14
    #4 0x5577dcef76cd in load_with_builtin /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:963:14
    #5 0x5577dcef76cd in sixel_helper_load_image_file /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:1418:18
    #6 0x5577dceb2638 in sixel_encoder_encode /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:1750:14
    #7 0x5577dceaa7de in main /workspace/program/libsixel-6dd664c-Aug2/converters/img2sixel.c:457:22
    #8 0x7f97371c5d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:735:17 in sixel_debug_print_palette

Proof of Concept

The vulnerability can be triggered by processing the malformed image file provided as POC_img2sixel_heap_buffer_overflow. This file contains specific image data structures that cause the heap buffer overflow condition during palette debugging operations.

POC Download: POC_img2sixel_heap_buffer_overflow

Reproduction Steps

1. Compile libsixel with AddressSanitizer enabled
2. Execute: img2sixel --7bit-mode -8 --invert --palette-type=auto --verbose POC_img2sixel_heap_buffer_overflow -o /dev/null
3. The program will crash with a heap-buffer-overflow error in the debug palette function

Affected Versions

LibSixel version 1.10.3 (commit 6dd664c) compiled on Aug 2 2025 and the newest master version.

[saitoha]

@err2zero I have reproduced the issue. Thank you for reporting it.
Would you allow us to add your POC to the tests/ directory in our repository, so that we can use it for regression testing?

[err2zero]

@err2zero I have reproduced the issue. Thank you for reporting it. Would you allow us to add your POC to the tests/ directory in our repository, so that we can use it for regression testing?

Thank you for confirming the reproduction. Yes, absolutely! I'd be honored to have our POC included in your test suite. Please feel free to use it for regression testing.

[saitoha]

@err2zero Fixed the issue in commit 316c086. I have also added the file you provided to the tests directory. Thank you!