| عنوان | LibSixel img2sixel LibSixel version 1.10.3 (commit 6dd664c) compiled on Aug 2 2025 and the newest master version. Heap Buffer Overflow |
|---|
| الوصف | # LibSixel img2sixel Heap Buffer Overflow in Debug Palette Function
## Summary
During fuzzing of the libsixel library's img2sixel converter, a critical heap buffer overflow vulnerability was discovered in the `sixel_debug_print_palette` function. The vulnerability occurs when processing malformed image files, leading to out-of-bounds read access during palette debugging operations. This vulnerability affects the image-to-sixel conversion process and can be triggered by specially crafted input files.
## Technical Details
- **Vulnerability Type**: Heap Buffer Overflow
- **Affected Component**: LibSixel - img2sixel converter
- **Affected Function**: `sixel_debug_print_palette`
- **Source File**: `encoder.c`
- **Line Number**: 735
- **Signal**: SIGABRT (6)
- **Memory Access**: READ of size 1
- **Affected Memory Range**: 136-byte heap region with out-of-bounds access
## Mechanism and Root Cause
This heap buffer overflow vulnerability is caused by insufficient bounds checking in the `sixel_debug_print_palette` function when printing palette information during the sixel encoding process. The root cause lies in accessing palette data beyond the allocated buffer boundaries.
The vulnerability manifests through the following sequence:
1. **Allocation Phase**: A 136-byte region is allocated for palette data via `sixel_dither_new()` in `dither.c:306`
2. **Processing Phase**: During `sixel_encoder_encode_frame()`, palette information is prepared and processed
3. **Debug Output Phase**: `sixel_debug_print_palette()` attempts to access palette data at `encoder.c:735`
4. **Buffer Overflow**: The function reads 1 byte beyond the allocated 136-byte region boundary
5. **Memory Corruption**: This triggers AddressSanitizer detection of heap buffer overflow
The call chain demonstrates the vulnerability path:
```
main() → sixel_encoder_encode() → sixel_encoder_encode_frame() → sixel_debug_print_palette()
```
## AddressSanitizer Report
```
palette:
0: #000033
1: #33cccc
2: #212133
3: #cc33cc
4: #33cc33
5: #cccccc
6: #cc3387
7: #878742
8: #424254
9: #549999
10: #424254
11: #995499
12: #549954
13: #999999
14: #9954cc
=================================================================
==3699142==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000000c8 at pc 0x5577dceb54e3 bp 0x7fffb39b3d70 sp 0x7fffb39b3d68
READ of size 1 at 0x60d0000000c8 thread T0
#0 0x5577dceb54e2 in sixel_debug_print_palette /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:735:17
#1 0x5577dceb54e2 in sixel_encoder_encode_frame /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:1001:13
#2 0x5577dcef76cd in load_with_builtin /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:963:14
#3 0x5577dcef76cd in sixel_helper_load_image_file /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:1418:18
#4 0x5577dceb2638 in sixel_encoder_encode /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:1750:14
#5 0x5577dceaa7de in main /workspace/program/libsixel-6dd664c-Aug2/converters/img2sixel.c:457:22
#6 0x7f97371c5d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7f97371c5e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#8 0x5577dcdd4724 in _start (/workspace/fuzzdir/fz-libsixel/fz-img2sixel/img2sixel+0x55724) (BuildId: 7403ef4a85b632d178024a09cfb9c1858eef4521)
0x60d0000000c8 is located 0 bytes after 136-byte region [0x60d000000040,0x60d0000000c8)
allocated by thread T0 here:
#0 0x5577dce6e54e in malloc (/workspace/fuzzdir/fz-libsixel/fz-img2sixel/img2sixel+0xef54e) (BuildId: 7403ef4a85b632d178024a09cfb9c1858eef4521)
#1 0x5577dcec9e6b in sixel_dither_new /workspace/program/libsixel-6dd664c-Aug2/src/dither.c:306:35
#2 0x5577dceb3f08 in sixel_encoder_prepare_palette /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:531:18
#3 0x5577dceb3f08 in sixel_encoder_encode_frame /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:988:14
#4 0x5577dcef76cd in load_with_builtin /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:963:14
#5 0x5577dcef76cd in sixel_helper_load_image_file /workspace/program/libsixel-6dd664c-Aug2/src/loader.c:1418:18
#6 0x5577dceb2638 in sixel_encoder_encode /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:1750:14
#7 0x5577dceaa7de in main /workspace/program/libsixel-6dd664c-Aug2/converters/img2sixel.c:457:22
#8 0x7f97371c5d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /workspace/program/libsixel-6dd664c-Aug2/src/encoder.c:735:17 in sixel_debug_print_palette
```
## Proof of Concept
The vulnerability can be triggered by processing the malformed image file provided as `POC_img2sixel_heap_buffer_overflow`. This file contains specific image data structures that cause the heap buffer overflow condition during palette debugging operations.
**POC Download**: [POC_img2sixel_heap_buffer_overflow](https://drive.google.com/file/d/1IIvvRFgUQZcySqeoqXXhsxd0HZCjClJ7/view?usp=sharing)
## Reproduction Steps
1. Compile libsixel with AddressSanitizer enabled
2. Execute: `img2sixel --7bit-mode -8 --invert --palette-type=auto --verbose POC_img2sixel_heap_buffer_overflow -o /dev/null`
3. The program will crash with a heap-buffer-overflow error in the debug palette function
## Affected Versions
LibSixel version 1.10.3 (commit 6dd664c) compiled on Aug 2 2025 and the newest master version.
**Credit**
- Xudong Cao (UCAS)
- Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| المصدر | ⚠️ https://github.com/saitoha/libsixel/issues/200 |
|---|
| المستخدم | xdcao (UID 88377) |
|---|
| ارسال | 12/08/2025 09:29 AM (9 أشهر منذ) |
|---|
| الاعتدال | 21/08/2025 07:25 AM (9 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 320905 [saitoha libsixel حتى 1.10.3 img2sixel src/encoder.c sixel_debug_print_palette تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|