A heap-buffer-overflow in function sixel_decode_raw_impl at fromsixel.c:608-4, due to integer overflow #103
Comments
Merged
|
CVE-2019-19635 was assigned for this issue. |
saitoha
added a commit
that referenced
this issue
Dec 14, 2019
- CVE-2018-19759 (#102) - CVE-2019-19635 (#103) - CVE-2019-19636 (#104) - CVE-2019-19637 (#105) Thanks to @YourButterfly!
|
Merged your PR on v1.8.3. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
libsixel
version
description
download link
others
sixel_decode_raw_impl@fromsixel.c:608-41___heap-buffer-overflow
description
commandline
source
bug report
================================================================= ==11466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009200 at pc 0x0000004a2fb5 bp 0x7ffc5f4c8500 sp 0x7ffc5f4c7cb0 WRITE of size 2147483647 at 0x629000009200 thread T0 #0 0x4a2fb4 in __asan_memset (/src/aflbuild/installed/bin/img2sixel+0x4a2fb4) #1 0x7fc638b15334 in sixel_decode_raw_impl /src/libsixel/src/fromsixel.c:608:41 #2 0x7fc638b18964 in sixel_decode_raw /src/libsixel/src/fromsixel.c:881:14 #3 0x7fc638b7291e in load_sixel /src/libsixel/src/loader.c:613:14 #4 0x7fc638b7291e in load_with_builtin /src/libsixel/src/loader.c:782 #5 0x7fc638b7291e in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352 #6 0x7fc638c1c5bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14 #7 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22 #8 0x7fc63775982f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x418d38 in _start (/src/aflbuild/installed/bin/img2sixel+0x418d38) 0x629000009200 is located 0 bytes to the right of 16384-byte region [0x629000005200,0x629000009200) allocated by thread T0 here: #0 0x4b8e68 in malloc (/src/aflbuild/installed/bin/img2sixel+0x4b8e68) #1 0x7fc638b1805b in image_buffer_resize /src/libsixel/src/fromsixel.c:292:35 SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/img2sixel+0x4a2fb4) in __asan_memset Shadow bytes around the buggy address: 0x0c527fff91f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff9200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff9210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff9220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff9230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c527fff9240:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff9260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff9270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11466==ABORTINGothers
The text was updated successfully, but these errors were encountered: