Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An integer overflow in function sixel_encode_body at tosixel.c:562-38 #104

Closed
YourButterfly opened this issue Dec 2, 2019 · 2 comments
Closed

An integer overflow in function sixel_encode_body at tosixel.c:562-38 #104

YourButterfly opened this issue Dec 2, 2019 · 2 comments

Comments

@YourButterfly
Copy link

libsixel

version

libsixel 1.8.2

description

None

download link

None

others

please send email to  teamseri0us360@gmail.com if you have any questions.

sixel_encode_body@tosixel.c:562-38___SEGV_UNKNOW

description

An issue was discovered in libsixel 1.8.2, There is an integer overflow in function sixel_encode_body at tosixel.c:562-38

commandline

img2sixel @@ -o /dev/null

source

 558         }
 559         for (x = 0; x < width; x++) {
 560             pix = pixels[y * width + x];  /* color index */
 561             if (pix >= 0 && pix < ncolors && pix != keycolor) {
> 562                 map[pix * width + x] |= (1 << i);
 563             }
 564             else if (!palstate) {
 565                 fillable = 0;
 566             }
 567         }

bug report

ASAN:DEADLYSIGNAL
=================================================================
==23526==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1651943dc8 (pc 0x7f17a65b9d04 bp 0x7ffecb75fbd0 sp 0x7ffecb75fa00 T0)
    #0 0x7f17a65b9d03 in sixel_encode_body /src/libsixel/src/tosixel.c:562:38
    #1 0x7f17a65b30ce in sixel_encode_dither /src/libsixel/src/tosixel.c:802:14
    #2 0x7f17a65b30ce in sixel_encode /src/libsixel/src/tosixel.c:1488
    #3 0x7f17a66b31ee in sixel_encoder_output_without_macro /src/libsixel/src/encoder.c:820:14
    #4 0x7f17a66b31ee in sixel_encoder_encode_frame /src/libsixel/src/encoder.c:1050
    #5 0x7f17a6608883 in load_with_builtin /src/libsixel/src/loader.c:913:14
    #6 0x7f17a6608883 in sixel_helper_load_image_file /src/libsixel/src/loader.c:1352
    #7 0x7f17a66b05bc in sixel_encoder_encode /src/libsixel/src/encoder.c:1737:14
    #8 0x4ebd82 in main /src/libsixel/converters/img2sixel.c:457:22
    #9 0x7f17a51ed82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x418d38 in _start (/src/aflbuild/installed/bin/img2sixel+0x418d38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libsixel/src/tosixel.c:562:38 in sixel_encode_body
==23526==ABORTING

others

from fuzz project pwd-libsixel-img2sixel-03
crash name pwd-libsixel-img2sixel-03-00000076-20191201.pnm
Auto-generated by pyspider at 2019-12-01 23:22:18

please send email to  teamseri0us360@gmail.com if you have any questions.
@YourButterfly YourButterfly mentioned this issue Dec 2, 2019
Merged
@carnil
Copy link

carnil commented Dec 8, 2019

CVE-2019-19636 was assigned for this issue.

saitoha added a commit that referenced this issue Dec 14, 2019
@saitoha
Merge PR #106, includes security fixes for:
93812d6 
- CVE-2018-19759 (#102)
- CVE-2019-19635 (#103)
- CVE-2019-19636 (#104)
- CVE-2019-19637 (#105)
Thanks to @YourButterfly!
@saitoha
Copy link
Owner

saitoha commented Dec 17, 2019

Merged your PR on v1.8.3. Thanks!

@saitoha saitoha closed this as completed Dec 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @saitoha @YourButterfly