Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failure in stbi__shiftsigned in stb_image.h #126

Closed
sleicasper opened this issue Dec 29, 2019 · 2 comments
Closed

assertion failure in stbi__shiftsigned in stb_image.h #126

sleicasper opened this issue Dec 29, 2019 · 2 comments

Comments

@sleicasper
Copy link

stbi__shiftsigned has assertion which can be triggered by user supplied image file.

Screen Shot 2019-12-29 at 9 38 06 PM

poc:
poc.zip

result:

#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff678c801 in __GI_abort () at abort.c:79
#2  0x00007ffff677c39a in __assert_fail_base (
    fmt=0x7ffff69037d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x5adc60 <.str.73> "v >= 0 && v < 256",
    file=file@entry=0x5ac2a0 <.str.2> "./stb_image.h", line=line@entry=0x13bc,
    function=function@entry=0x5adca0 <__PRETTY_FUNCTION__.stbi__shiftsigned> "int stbi__shiftsigned(int, int, int)") at assert.c:92
#3  0x00007ffff677c412 in __GI___assert_fail (assertion=0x5adc60 <.str.73> "v >= 0 && v < 256",
    file=0x5ac2a0 <.str.2> "./stb_image.h", line=0x13bc,
    function=0x5adca0 <__PRETTY_FUNCTION__.stbi__shiftsigned> "int stbi__shiftsigned(int, int, int)") at assert.c:101
#4  0x0000000000536b79 in stbi__shiftsigned (v=0xffffffa5, shift=0x18, bits=0xd)
    at ./stb_image.h:5052
#5  0x00000000005030b4 in stbi__bmp_load (s=0x7fffffffcc80, x=0x607000000038, y=0x60700000003c,
    comp=0x7fffffffcda0, req_comp=0x3, ri=0x7fffffffc940) at ./stb_image.h:5287
#6  0x00000000004ff7b3 in stbi__load_main (s=0x7fffffffcc80, x=0x607000000038, y=0x60700000003c,
    comp=0x7fffffffcda0, req_comp=0x3, ri=0x7fffffffc940, bpc=0x8) at ./stb_image.h:988
#7  0x00000000004fa325 in stbi__load_and_postprocess_8bit (s=0x7fffffffcc80, x=0x607000000038,
    y=0x60700000003c, comp=0x7fffffffcda0, req_comp=0x3) at ./stb_image.h:1092
#8  0x00000000004ff0b2 in load_with_builtin (pchunk=0x603000000010, fstatic=0x0, fuse_palette=0x1,
    reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x4d0b50 <load_image_callback>,
    context=0x610000000040) at loader.c:912
#9  0x00000000004fddc3 in sixel_helper_load_image_file (filename=0x7fffffffe5da "poc", fstatic=0x0,
    fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0,
    fn_load=0x4d0b50 <load_image_callback>, finsecure=0x0, cancel_flag=0x108e980 <signaled>,
    context=0x610000000040, allocator=0x604000000010) at loader.c:1392
#10 0x00000000004d0858 in sixel_encoder_encode (encoder=0x610000000040,
    filename=0x7fffffffe5da "poc") at encoder.c:1737
#11 0x00000000004c66c9 in main (argc=0x2, argv=0x7fffffffe308) at img2sixel.c:457
#12 0x00007ffff676db97 in __libc_start_main (main=0x4c3320 <main>, argc=0x2, argv=0x7fffffffe308,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8)
    at ../csu/libc-start.c:310
#13 0x000000000041bd3a in _start ()
@carnil
Copy link

carnil commented Dec 29, 2019

According to the MITRE CVE feed, this issue has been assigned CVE-2019-20056, altough the issue seem to be in stb_image.h, and not specific to libsixel.

saitoha added a commit that referenced this issue Dec 30, 2019
@saitoha
Fix for CVE-2019-20056, assertion failure problem(#126). Thanks to @s…
bab1e60 
…leicasper
saitoha added a commit that referenced this issue Dec 31, 2019
@saitoha
Fix for CVE-2019-20056, assertion failure problem(#126). Thanks to @s…
814f831 
…leicasper
@saitoha
Copy link
Owner

saitoha commented Jan 3, 2020

Fixed on v1.8.5. Thanks!

@saitoha saitoha closed this as completed Jan 3, 2020
@mmuehlenhoff mmuehlenhoff mentioned this issue Jan 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @saitoha @sleicasper