heap-buffer-overflow in gif_out_code at fromgif.c:278
SuhwanSong opened this issue · comments
version : img2sixel 1.8.4
OS : Ubuntu 18.04
configured with:
libcurl: yes
libpng: yes
libjpeg: yes
gdk-pixbuf2: no
GD: no
There is a heap-buffer-overflow in gif_out_code at fromgif.c:278
please run following cmd to reproduce it.
img2sixel --high-color $PoC
poc
ASAN LOG
==10277==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x7f7bdcc18b94 bp 0x7ffef64b2e60 sp 0x7ffef64b2e58
WRITE of size 1 at 0x619000000480 thread T0
#0 0x7f7bdcc18b93 in gif_out_code /home/tmp/libsixel/src/fromgif.c:278:48
#1 0x7f7bdcc075b5 in gif_process_raster /home/tmp/libsixel/src/fromgif.c:389:17
#2 0x7f7bdcc075b5 in gif_load_next /home/tmp/libsixel/src/fromgif.c:497
#3 0x7f7bdcc075b5 in load_gif /home/tmp/libsixel/src/fromgif.c:634
#4 0x7f7bdc9e96fb in load_with_builtin /home/tmp/libsixel/src/loader.c:888:18
#5 0x7f7bdc9e96fb in sixel_helper_load_image_file /home/tmp/libsixel/src/loader.c:1392
#6 0x7f7bdcc2d99f in sixel_encoder_encode /home/tmp/libsixel/src/encoder.c:1737:14
#7 0x51787f in main /home/tmp/libsixel/converters/img2sixel.c:457:22
#8 0x7f7bdaf93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x41a379 in _start (/home/tmp/img2sixel+0x41a379)
0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here:
#0 0x4da230 in __interceptor_malloc (/home/tmp/img2sixel+0x4da230)
#1 0x7f7bdcc00dd2 in load_gif /home/tmp/libsixel/src/fromgif.c:611:30
#2 0x7f7bdc9e96fb in load_with_builtin /home/tmp/libsixel/src/loader.c:888:18
#3 0x7f7bdc9e96fb in sixel_helper_load_image_file /home/tmp/libsixel/src/loader.c:1392
#4 0x7f7bdcc2d99f in sixel_encoder_encode /home/tmp/libsixel/src/encoder.c:1737:14
#5 0x51787f in main /home/tmp/libsixel/converters/img2sixel.c:457:22
#6 0x7f7bdaf93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tmp/libsixel/src/fromgif.c:278:48 in gif_out_code
Shadow bytes around the buggy address:
0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10277==ABORTING
CVE-2019-20140 has been assigned for this issue.
Verified in 686d234
Minimized sample: 
SHA1: 85389ae464df327f18f0bd00fe977aac6ff56025
Fixed on v1.8.5. Thanks!