CVE-2021-46700: double free or corruption in encoder.c:831 · Issue #158 · saitoha/libsixel

Hi, I found a double free or corruption in the current master 6a5be8b,
OS: ubuntu 18.04
kernel: 5.4.0-87-generic

POC: poc.zip

• gdb

  ───────────────────────────────────────────────────────────────────────── Registers ────────────────────────────────────────────────────────────────────────── RAX: 0x0 RBX: 0x7ffff7c1ab80 (0x00007ffff7c1ab80) RCX: 0x7ffff7c6218b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108]) RDX: 0x0 RSI: 0x7fffffffd570 --> 0x0 RDI: 0x2 RBP: 0x7fffffffd8c0 --> 0x7ffff7e07b80 --> 0x0 RSP: 0x7fffffffd570 --> 0x0 RIP: 0x7ffff7c6218b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108]) R8 : 0x0 R9 : 0x7fffffffd570 --> 0x0 R10: 0x8 R11: 0x246 R12: 0x7fffffffd7e0 --> 0x0 R13: 0x10 R14: 0x7ffff7ffb000 --> 0x62756f6400001000 R15: 0x1 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) ──────────────────────────────────────────────────────────────────────────── Code ──────────────────────────────────────────────────────────────────────────── 0x7ffff7c6217f <__GI_raise+191>: mov edi,0x2 0x7ffff7c62184 <__GI_raise+196>: mov eax,0xe 0x7ffff7c62189 <__GI_raise+201>: syscall => 0x7ffff7c6218b <__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108] 0x7ffff7c62193 <__GI_raise+211>: xor rax,QWORD PTR fs:0x28 0x7ffff7c6219c <__GI_raise+220>: jne 0x7ffff7c621c4 <__GI_raise+260> 0x7ffff7c6219e <__GI_raise+222>: mov eax,r8d 0x7ffff7c621a1 <__GI_raise+225>: add rsp,0x118 [rsp+0x108] : 0x7fffffffd678 --> 0x56e8b0c29e2fc000 ─────────────────────────────────────────────────────────────────────────── Stack ──────────────────────────────────────────────────────────────────────────── 0000| 0x7fffffffd570 --> 0x0 0008| 0x7fffffffd578 --> 0xffffff01 0016| 0x7fffffffd580 --> 0x2 0024| 0x7fffffffd588 --> 0x48b8e0 --> 0x48b860 --> 0x0 0032| 0x7fffffffd590 --> 0x48b8e4 --> 0x48301000000000 0040| 0x7fffffffd598 --> 0x1 0048| 0x7fffffffd5a0 --> 0x100000002 0056| 0x7fffffffd5a8 --> 0x48b930 --> 0x0 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Legend: code, data, rodata, heap, value Stopped reason: SIGABRT __GI_raise (sig=sig@entry=0x6) at …/sysdeps/unix/sysv/linux/raise.c:50 50 …/sysdeps/unix/sysv/linux/raise.c: No such file or directory. gdb-peda$ bt #0 __GI_raise (sig=sig@entry=0x6) at …/sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7c41859 in __GI_abort () at abort.c:79 #2 0x00007ffff7cac3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7dd6285 “%s\n”) at …/sysdeps/posix/libc_fatal.c:155 #3 0x00007ffff7cb447c in malloc_printerr (str=str@entry=0x7ffff7dd8670 "double free or corruption (out)") at malloc.c:5347 #4 0x00007ffff7cb6120 in _int_free (av=0x7ffff7e07b80 <main_arena>, p=0x4b3a70, have_lock=<optimized out>) at malloc.c:4314 #5 0x0000000000407f8a in sixel_encoder_output_without_macro (frame=<optimized out>, dither=0x48b600, output=<optimized out>, encoder=0x4832d0) at encoder.c:831 #6 sixel_encoder_encode_frame (encoder=0x4832d0, frame=<optimized out>, output=<optimized out>) at encoder.c:1056 #7 0x000000000041c22b in load_with_builtin (pchunk=<optimized out>, fstatic=<optimized out>, fuse_palette=0x1, reqcolors=<optimized out>, bgcolor=<optimized out>, loop_control=<optimized out>, fn_load=<optimized out>, context=<optimized out>) at loader.c:963 #8 sixel_helper_load_image_file (filename=<optimized out>, fstatic=<optimized out>, fuse_palette=0x1, reqcolors=<optimized out>, bgcolor=<optimized out>, loop_control=<optimized out>, fn_load=<optimized out>, finsecure=<optimized out>, cancel_flag=<optimized out>, context=<optimized out>, allocator=<optimized out>) at loader.c:1418 #9 0x00000000004066e5 in sixel_encoder_encode (encoder=0x4832d0, filename=0x7fffffffe662 “./out/crashes/id:000003,sig:06,src:001126,op:arg1,rep:2”) at encoder.c:1743 #10 0x0000000000402f73 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe318) at img2sixel.c:457 #11 0x00007ffff7c430b3 in __libc_start_main (main=0x4026a0 <main>, argc=0xb, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at …/csu/libc-start.c:308 #12 0x00000000004025de in _start () gdb-peda$