Headline
CVE-2021-45340: NULL pointer dereference in stb_image.h · Issue #51 · libsixel/libsixel
In Libsixel prior to and including v1.10.3, a NULL pointer dereference in the stb_image.h component of libsixel allows attackers to cause a denial of service (DOS) via a crafted PICT file.
This is a duplicate report of issue 160 in the original project. I’m not sure where best to report this, but it affects both projects.
Vulnerable versions
- saitoha/libsixel at the latest (6a5be8b) commit
- libsixel/libsixel at the latest (bc93c8c) commit
Steps to reproduce
img2sixel stbio_1561_poc.bin
Input file (a malformed PICT-format image) is attached
Cause
Segmentation fault in stbi__convert_format at stb_image.h:1561:
switch (STBI__COMBO(img_n, req_comp)) { /* … */ STBI__CASE(4,3) { dest[0]=src[0],dest[1]=src[1],dest[2]=src[2]; } break; /* … */ }
The src pointer is NULL, as passed in from stbi__pic_load.
The source of the NULL pointer is the malloc at line 6120:
result = (stbi_uc *) stbi__malloc_mad4(x, y, 4, 0);
whose output is never checked for NULL. The x and y dimensions (39168, 5888) are read
directly from the input file, and they pass the check in stbi__mad3sizes_valid which
only checks for integer overflow.
The total size of the allocated buffer is 39168 * 5888 * 4 and allocation fails.
Impact
Denial of service is the only obvious impact.
Mitigation
stb_image starting at version 2.27 (commit 50072f66589f52f51eb5b3f56b9272ea8ec1fdac) include a check for this condition. libsixel should be brought up-to-date with this version if possible.
If not, backport the check as well as similar error checks for other malloc calls.