[CVE-2018-19756] heap-based buffer over-read at stb_image.h (function: stbi__tga_load)

[nluedtke]

Re-posting this here to make sure you are aware.

https://nvd.nist.gov/vuln/detail/CVE-2018-19756
https://bugzilla.redhat.com/show_bug.cgi?id=1649198

[knok]

I can't reproduce it on the following environmnet:
Debian 9
libsixel git master HEAD

% ./converters/img2sixel ../POC0 > /dev/null
making histogram...
1 colors found
Image already has few enough colors (<=256).  Keeping same colors.
tupletable size: 1
% echo $?
0

[knok]

Sorry, I can reploduced with -fsanitizer=address.

[saitoha]

@nluedtke @knok Fix for this problem #93 is merged into v1.8.3. Thanks to your great efforts.