You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
libsixel/img2sixel attempting free on address which was not malloc()
Description
A bug was discovered in libsixel v1.8.6 that attempted to free an address that was not malloc() allocated at libsixel/src/loader.c:633:5.It allows attackers to cause a denial of service (DOS) via converting a crafted PNG file into Sixel format.
root@38ad1e4b9d16:/afltest/libsixel# ./converters/img2sixel -w 128 -8 -I pocLibsixel -o test1.sixel
=================================================================
==3908320==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x607000000028 in thread T0
#0 0x495b5d in free (/afltest/libsixel/converters/img2sixel+0x495b5d)#1 0x544c86 in load_png /afltest/libsixel/src/loader.c:633:5#2 0x4fc4b9 in load_with_builtin /afltest/libsixel/src/loader.c:889:18#3 0x4fc4b9 in sixel_helper_load_image_file /afltest/libsixel/src/loader.c:1418:18#4 0x4cc586 in sixel_encoder_encode /afltest/libsixel/src/encoder.c:1743:14#5 0x4c6e13 in main /afltest/libsixel/converters/img2sixel.c:457:22#6 0x7ffff7b61082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16#7 0x41d69d in _start (/afltest/libsixel/converters/img2sixel+0x41d69d)
0x607000000028 is located 8 bytes inside of 72-byte region [0x607000000020,0x607000000068)
allocated by thread T0 here:
#0 0x495ddd in malloc (/afltest/libsixel/converters/img2sixel+0x495ddd)#1 0x4e18a9 in sixel_frame_new /afltest/libsixel/src/frame.c:61:33#2 0x4fc41a in load_with_builtin /afltest/libsixel/src/loader.c:885:18#3 0x4fc41a in sixel_helper_load_image_file /afltest/libsixel/src/loader.c:1418:18#4 0x4cc586 in sixel_encoder_encode /afltest/libsixel/src/encoder.c:1743:14#5 0x4c6e13 in main /afltest/libsixel/converters/img2sixel.c:457:22#6 0x7ffff7b61082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: bad-free (/afltest/libsixel/converters/img2sixel+0x495b5d) in free
==3908320==ABORTING
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
libsixel/img2sixel attempting free on address which was not malloc()
Description
A bug was discovered in libsixel v1.8.6 that attempted to free an address that was not malloc() allocated at libsixel/src/loader.c:633:5.It allows attackers to cause a denial of service (DOS) via converting a crafted PNG file into Sixel format.
PoC
pocLibsixel: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/pocLibsixel
Version
libsixel/img2sixel 1.8.6
Reference
https://github.com/saitoha/libsixel
Reproduction
Environment
Location
in load_png : libsixel/src/loader.c:633:5
Credit
Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
Song Jiaxuan
The text was updated successfully, but these errors were encountered: