Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow in scale.c:214 #179

Open
chameleon10712 opened this issue Jan 4, 2024 · 0 comments
Open

Heap-buffer-overflow in scale.c:214 #179

chameleon10712 opened this issue Jan 4, 2024 · 0 comments

Comments

@chameleon10712
Copy link

Description

Heap-buffer-overflow in scale.c:214 scale_without_resampling() (SEGV)

Case 1

Normal build

$ /home/oceane/libsixel_norm/libsixel/build/bin/img2sixel -r nearest  -h 3 ./poc_min
Segmentation fault

with ASan

$  /home/oceane/libsixel_asan/build_asan/bin/img2sixel -r nearest  -h 3 ./poc_min
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2489639==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc5ba7376cb (pc 0x7fc5bebe78da bp 0x000000000000 sp 0x7ffe4e0c2430 T0)
==2489639==The signal is caused by a READ memory access.
    #0 0x7fc5bebe78d9 in scale_without_resampling /home/oceane/libsixel_asan/src/scale.c:214
    #1 0x7fc5bebe78d9 in sixel_helper_scale_image /home/oceane/libsixel_asan/src/scale.c:348
    #2 0x7fc5bebe1db9 in sixel_frame_resize /home/oceane/libsixel_asan/src/frame.c:570
    #3 0x7fc5bec9e18d in sixel_encoder_do_resize /home/oceane/libsixel_asan/src/encoder.c:641
    #4 0x7fc5bec9fd94 in sixel_encoder_encode_frame /home/oceane/libsixel_asan/src/encoder.c:968
    #5 0x7fc5bec86f6a in load_with_builtin /home/oceane/libsixel_asan/src/loader.c:963
    #6 0x7fc5bec90e67 in sixel_helper_load_image_file /home/oceane/libsixel_asan/src/loader.c:1418
    #7 0x7fc5becadde1 in sixel_encoder_encode /home/oceane/libsixel_asan/src/encoder.c:1743
    #8 0x558352bf5dcb in main /home/oceane/libsixel_asan/converters/img2sixel.c:457
    #9 0x7fc5be795082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x558352bf67dd in _start (/home/oceane/libsixel_asan/build_asan/bin/img2sixel+0x67dd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/oceane/libsixel_asan/src/scale.c:214 in scale_without_resampling
==2489639==ABORTING

Case 2

Normal build

$ /home/oceane/libsixel_norm/libsixel/build/bin/img2sixel -w 40% -h 300% -r nearest poc_min2
Segmentation fault

with ASan

$ /home/oceane/libsixel_asan/build_asan/bin/img2sixel -w 40% -h 300% -r nearest poc_min2
=================================================================
==2012689==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0b6a674610 at pc 0x7f0b702d6e05 bp 0x7ffdf2689970 sp 0x7ffdf2689960
READ of size 1 at 0x7f0b6a674610 thread T0
    #0 0x7f0b702d6e04 in scale_without_resampling /home/oceane/libsixel_asan/src/scale.c:214
    #1 0x7f0b702d6e04 in sixel_helper_scale_image /home/oceane/libsixel_asan/src/scale.c:348
    #2 0x7f0b702c5db9 in sixel_frame_resize /home/oceane/libsixel_asan/src/frame.c:570
    #3 0x7f0b7038218d in sixel_encoder_do_resize /home/oceane/libsixel_asan/src/encoder.c:641
    #4 0x7f0b70383d94 in sixel_encoder_encode_frame /home/oceane/libsixel_asan/src/encoder.c:968
    #5 0x7f0b7036af6a in load_with_builtin /home/oceane/libsixel_asan/src/loader.c:963
    #6 0x7f0b70374e67 in sixel_helper_load_image_file /home/oceane/libsixel_asan/src/loader.c:1418
    #7 0x7f0b70391de1 in sixel_encoder_encode /home/oceane/libsixel_asan/src/encoder.c:1743
    #8 0x55df72adadcb in main /home/oceane/libsixel_asan/converters/img2sixel.c:457
    #9 0x7f0b6fe79082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55df72adb7dd in _start (/home/oceane/libsixel_asan/build_asan/bin/img2sixel+0x67dd)

0x7f0b6a674610 is located 0 bytes to the right of 10952208-byte region [0x7f0b69c02800,0x7f0b6a674610)
allocated by thread T0 here:
    #0 0x7f0b70505808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f0b702c5bdc in sixel_frame_resize /home/oceane/libsixel_asan/src/frame.c:562

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/oceane/libsixel_asan/src/scale.c:214 in scale_without_resampling
Shadow bytes around the buggy address:
  0x0fe1ed4c6870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe1ed4c6880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe1ed4c6890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe1ed4c68a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe1ed4c68b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe1ed4c68c0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe1ed4c68d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe1ed4c68e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe1ed4c68f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe1ed4c6900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe1ed4c6910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2012689==ABORTING

pocs.zip

Environment

git commit 6a5be8b
Ubuntu 20.04.6 LTS
13th Gen Intel(R) Core(TM) i9-13900
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chameleon10712