Headline
CVE-2020-36123: double-free in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9 · Issue #144 · saitoha/libsixel
saitoha libsixel v1.8.6 was discovered to contain a double free via the component sixel_chunk_destroy at /root/libsixel/src/chunk.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
chibataiki opened this issue
Dec 31, 2020
· 1 comment
Comments
version:
img2sixel 1.8.6
OS: Ubuntu 20.04.1 LTS x86_64
Kernel: 5.4.0-54-generic
compiler: gcc version 9.3.0
configured with:
libcurl: no
libpng: yes
libjpeg: no
gdk-pixbuf2: no
GD: no
compiled with :
(CFLAGS="-g -fsanitize=address" ./configure && make)
run
poc_double_free.zip
=================================================================
==872176==ERROR: AddressSanitizer: attempting double-free on 0x62d000000400 in thread T0:
#0 0x49489d in free (/root/libsixel/converters/.libs/img2sixel+0x49489d)
#1 0x7fb24078593d in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9
#2 0x7fb240799ddf in sixel_helper_load_image_file /root/libsixel/src/loader.c:1432:5
#3 0x7fb2407f4e36 in sixel_encoder_encode /root/libsixel/src/encoder.c:1743:14
#4 0x4c5c88 in main /root/libsixel/converters/img2sixel.c:457:22
#5 0x7fb2403400b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41c3dd in _start (/root/libsixel/converters/.libs/img2sixel+0x41c3dd)
0x62d000000400 is located 0 bytes inside of 32768-byte region [0x62d000000400,0x62d000008400)
freed by thread T0 here:
#0 0x49489d in free (/root/libsixel/converters/.libs/img2sixel+0x49489d)
#1 0x7fb2407defe9 in load_png /root/libsixel/src/loader.c:633:5
#2 0x7fb240799a85 in load_with_builtin /root/libsixel/src/loader.c:889:18
#3 0x7fb240799a85 in sixel_helper_load_image_file /root/libsixel/src/loader.c:1418:18
#4 0x7fb2407f4e36 in sixel_encoder_encode /root/libsixel/src/encoder.c:1743:14
#5 0x4c5c88 in main /root/libsixel/converters/img2sixel.c:457:22
#6 0x7fb2403400b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x494b1d in malloc (/root/libsixel/converters/.libs/img2sixel+0x494b1d)
#1 0x7fb24080df0c in sixel_allocator_malloc /root/libsixel/src/allocator.c:162:12
#2 0x7fb240797a57 in sixel_helper_load_image_file /root/libsixel/src/loader.c:1375:14
#3 0x7fb2407f4e36 in sixel_encoder_encode /root/libsixel/src/encoder.c:1743:14
#4 0x4c5c88 in main /root/libsixel/converters/img2sixel.c:457:22
#5 0x7fb2403400b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: double-free (/root/libsixel/converters/.libs/img2sixel+0x49489d) in free
==872176==ABORTING
chibataiki changed the title AddressSanitizer: double-free in in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9 double-free in in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9
Jan 4, 2021
chibataiki changed the title double-free in in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9 double-free in sixel_chunk_destroy /root/libsixel/src/chunk.c:107:9
Jan 18, 2021
I cannot reproduce this so i will closed this now
1 participant