Bug 1649198

Summary: There is a heap-buffer-overflow at stb_image.h:5580(function:stbi__tga_load) in libsixel latest version that will cause serious impact.
Product: [Other] Security Response Reporter: shuitao gan <ganshuitao>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: unspecified    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-13 14:45:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
./img2sixel POC0 none

Description shuitao gan 2018-11-13 06:14:05 UTC
Created attachment 1505139 [details]
./img2sixel   POC0

version: libsixel latest version(v1.8.2)

Summary: 

There is a heap-buffer-overflow at stb_image.h:5580(function:stbi__tga_load) in libsixel latest version that will cause 
serious impact.

Description:

The asan debug is as follows:

$./img2sixel   POC0
=================================================================
==591==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a7d1 at pc 0x7f74dd362189 bp 0x7ffc2a510f90 sp 
0x7ffc2a510f80
READ of size 1 at 0x60200000a7d1 thread T0
    #0 0x7f74dd362188 in stbi__tga_load /home/company/real_sanitize/libsixel-master/src/stb_image.h:5580
    #1 0x7f74dd362188 in stbi__load_main /home/company/real_sanitize/libsixel-master/src/stb_image.h:1011
    #2 0x7f74dd368115 in stbi__load_and_postprocess_8bit /home/company/real_sanitize/libsixel-master/src/stb_image.h:1090
    #3 0x7f74dd36974f in load_with_builtin /home/company/real_sanitize/libsixel-master/src/loader.c:882
    #4 0x7f74dd36d3d9 in sixel_helper_load_image_file /home/company/real_sanitize/libsixel-master/src/loader.c:1352
    #5 0x7f74dd378283 in sixel_encoder_encode /home/company/real_sanitize/libsixel-master/src/encoder.c:1737
    #6 0x4017f8 in main /home/company/real_sanitize/libsixel-master/converters/img2sixel.c:457
    #7 0x7f74dcd31a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #8 0x401918 in _start (/home/company/real_sanitize/poc_check/libsixel/img2sixel+0x401918)

0x60200000a7d1 is located 0 bytes to the right of 1-byte region [0x60200000a7d0,0x60200000a7d1)
allocated by thread T0 here:
    #0 0x7f74dd65e9aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
    #1 0x7f74dd362264 in stbi__tga_load /home/company/real_sanitize/libsixel-master/src/stb_image.h:5527
    #2 0x7f74dd362264 in stbi__load_main /home/company/real_sanitize/libsixel-master/src/stb_image.h:1011

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/company/real_sanitize/libsixel-master/src/stb_image.h:5580 
stbi__tga_load
Shadow bytes around the buggy address:
  0x0c047fff94a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff94b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fd
  0x0c047fff9500: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9510: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9520: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9530: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9540: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==591==ABORTING

Comment 1 Andrej Nemec 2018-11-13 14:45:18 UTC
Hello,

Red Hat does not ship libsixel in any of our supported products. Please, report these issues upstream at:

https://github.com/saitoha/libsixel/issues

Thanks!