Headline
CVE-2022-0856: [BUG] Divide by zero in img2txt · Issue #65 · cacalabs/libcaca
libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
kdsjZh opened this issue
Feb 24, 2022
· 3 comments
Open
[BUG] Divide by zero in img2txt #65
kdsjZh opened this issue
Feb 24, 2022
· 3 comments
Comments
version: latest commit f42aa68
driver: src/img2txt
Environment: ubuntu 22.04, clang-12
step to reproduce:
export CFLAGS="-fsanitize=address -g"
export CC=clang
./bootstrap
./configure
make -j8
./src/img2txt ./divide_by_0.seed
Sanitizer output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25214==ERROR: AddressSanitizer: FPE on unknown address 0x0000004d0433 (pc 0x0000004d0433 bp 0x7fff1cb39010 sp 0x7fff1cb38ee0 T0)
#0 0x4d0433 in main /benchmarks/libcaca/src/img2txt.c:183:42
#1 0x7fa2270f9d8f (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
#2 0x7fa2270f9e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
#3 0x421944 in _start (/benchmarks/libcaca/src/img2txt+0x421944)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /benchmarks/libcaca/src/img2txt.c:183:42 in main
==25214==ABORTING
#POC
divide_by_0.zip
##Credit
Han Zheng
NCNIPC of China
Hexhive
Thank you, reading the code it could happen when given a valid image of width 0 (probably the case here), but also with any image if passing -y 0.
How’s this going to be fixed?
I added a check for i->w and/or i->h being 0, issuing an error message (“image size is 0”) and setting lines and cols to 0 (caca_set_canvas_size can handle this).
Obviously caca_export_canvas_to_memory then chokes on this but this is handled already. I only then also changed the format in the error message to format?format:"ansi".