Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

double free or corruption in encoder.c:831 #158

Closed
p870613 opened this issue Nov 7, 2021 · 1 comment
Closed

double free or corruption in encoder.c:831 #158

p870613 opened this issue Nov 7, 2021 · 1 comment

Comments

@p870613
Copy link

p870613 commented Nov 7, 2021
edited

Hi, I found a double free or corruption in the current master 6a5be8b,
OS: ubuntu 18.04
kernel: 5.4.0-87-generic

POC: poc.zip

image

  • gdb
───────────────────────────────────────────────────────────────────────── Registers ──────────────────────────────────────────────────────────────────────────
RAX: 0x0 
RBX: 0x7ffff7c1ab80 (0x00007ffff7c1ab80)
RCX: 0x7ffff7c6218b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffffd570 --> 0x0 
RDI: 0x2 
RBP: 0x7fffffffd8c0 --> 0x7ffff7e07b80 --> 0x0 
RSP: 0x7fffffffd570 --> 0x0 
RIP: 0x7ffff7c6218b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffffd570 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7fffffffd7e0 --> 0x0 
R13: 0x10 
R14: 0x7ffff7ffb000 --> 0x62756f6400001000 
R15: 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
──────────────────────────────────────────────────────────────────────────── Code ────────────────────────────────────────────────────────────────────────────
   0x7ffff7c6217f <__GI_raise+191>:	mov    edi,0x2
   0x7ffff7c62184 <__GI_raise+196>:	mov    eax,0xe
   0x7ffff7c62189 <__GI_raise+201>:	syscall 
=> 0x7ffff7c6218b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff7c62193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
   0x7ffff7c6219c <__GI_raise+220>:	jne    0x7ffff7c621c4 <__GI_raise+260>
   0x7ffff7c6219e <__GI_raise+222>:	mov    eax,r8d
   0x7ffff7c621a1 <__GI_raise+225>:	add    rsp,0x118
[rsp+0x108] : 0x7fffffffd678 --> 0x56e8b0c29e2fc000 
─────────────────────────────────────────────────────────────────────────── Stack ────────────────────────────────────────────────────────────────────────────
0000| 0x7fffffffd570 --> 0x0 
0008| 0x7fffffffd578 --> 0xffffff01 
0016| 0x7fffffffd580 --> 0x2 
0024| 0x7fffffffd588 --> 0x48b8e0 --> 0x48b860 --> 0x0 
0032| 0x7fffffffd590 --> 0x48b8e4 --> 0x48301000000000 
0040| 0x7fffffffd598 --> 0x1 
0048| 0x7fffffffd5a0 --> 0x100000002 
0056| 0x7fffffffd5a8 --> 0x48b930 --> 0x0 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Legend: code, data, rodata, heap, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7c41859 in __GI_abort () at abort.c:79
#2  0x00007ffff7cac3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7dd6285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7cb447c in malloc_printerr (str=str@entry=0x7ffff7dd8670 "double free or corruption (out)") at malloc.c:5347
#4  0x00007ffff7cb6120 in _int_free (av=0x7ffff7e07b80 <main_arena>, p=0x4b3a70, have_lock=<optimized out>) at malloc.c:4314
#5  0x0000000000407f8a in sixel_encoder_output_without_macro (frame=<optimized out>, dither=0x48b600, output=<optimized out>, encoder=0x4832d0)
    at encoder.c:831
#6  sixel_encoder_encode_frame (encoder=0x4832d0, frame=<optimized out>, output=<optimized out>) at encoder.c:1056
#7  0x000000000041c22b in load_with_builtin (pchunk=<optimized out>, fstatic=<optimized out>, fuse_palette=0x1, reqcolors=<optimized out>, 
    bgcolor=<optimized out>, loop_control=<optimized out>, fn_load=<optimized out>, context=<optimized out>) at loader.c:963
#8  sixel_helper_load_image_file (filename=<optimized out>, fstatic=<optimized out>, fuse_palette=0x1, reqcolors=<optimized out>, bgcolor=<optimized out>, 
    loop_control=<optimized out>, fn_load=<optimized out>, finsecure=<optimized out>, cancel_flag=<optimized out>, context=<optimized out>, 
    allocator=<optimized out>) at loader.c:1418
#9  0x00000000004066e5 in sixel_encoder_encode (encoder=0x4832d0, filename=0x7fffffffe662 "./out/crashes/id:000003,sig:06,src:001126,op:arg1,rep:2")
    at encoder.c:1743
#10 0x0000000000402f73 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe318) at img2sixel.c:457
#11 0x00007ffff7c430b3 in __libc_start_main (main=0x4026a0 <main>, argc=0xb, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#12 0x00000000004025de in _start ()
gdb-peda$
@p870613 p870613 changed the title double free or corruption in double free or corruption in encoder.c:831 Nov 7, 2021
@carnil
Copy link

carnil commented Feb 19, 2022

CVE-2021-46700 appears to have been assigned to this issue.

@p870613 p870613 closed this as completed May 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carnil @p870613