heap-buffer-overflow in error_diffuse, quant.c:876, different from #156

[waugustus]

Description

There is a heap-buffer-overflow error in img2sixel 1.8.6 in error_diffuse, quant.c:876, which is invoked by diffuse_jajuni, quant.c:972 (different from #156). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.

Version

$ img2sixel -V
img2sixel 1.8.6

configured with:
  libcurl: yes
  libpng: yes
  libjpeg: yes
  gdk-pixbuf2: no
  GD: no

Reproduction

$ img2sixel -d jajuni  -b vt340mono poc /tmp/foo
=================================================================
==135878==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000010ed at pc 0x55e064953e8e bp 0x7ffda7711e50 sp 0x7ffda7711e40
READ of size 1 at 0x6030000010ed thread T0
    #0 0x55e064953e8d in error_diffuse /root/programs_latest/libsixel/src/quant.c:876
    #1 0x55e0649541ff in diffuse_jajuni /root/programs_latest/libsixel/src/quant.c:972
    #2 0x55e064956a85 in sixel_quant_apply_palette /root/programs_latest/libsixel/src/quant.c:1449
    #3 0x55e064904e97 in sixel_dither_apply_palette /root/programs_latest/libsixel/src/dither.c:801
    #4 0x55e0648faca9 in sixel_encode_dither /root/programs_latest/libsixel/src/tosixel.c:830
    #5 0x55e064902b7f in sixel_encode /root/programs_latest/libsixel/src/tosixel.c:1551
    #6 0x55e0648ee0e0 in sixel_encoder_output_without_macro /root/programs_latest/libsixel/src/encoder.c:825
    #7 0x55e0648ef381 in sixel_encoder_encode_frame /root/programs_latest/libsixel/src/encoder.c:1056
    #8 0x55e0648f3245 in load_image_callback /root/programs_latest/libsixel/src/encoder.c:1679
    #9 0x55e064943c67 in load_with_builtin /root/programs_latest/libsixel/src/loader.c:963
    #10 0x55e0649441aa in sixel_helper_load_image_file /root/programs_latest/libsixel/src/loader.c:1418
    #11 0x55e0648f36a9 in sixel_encoder_encode /root/programs_latest/libsixel/src/encoder.c:1743
    #12 0x55e0648e965b in main /root/programs_latest/libsixel/converters/img2sixel.c:457
    #13 0x7f8f97ce2082 in __libc_start_main ../csu/libc-start.c:308
    #14 0x55e0648e6fad in _start (/root/programs_latest/libsixel/build_asan/bin/img2sixel+0x39fad)

0x6030000010ed is located 3 bytes to the left of 18-byte region [0x6030000010f0,0x603000001102)
allocated by thread T0 here:
    #0 0x7f8f9829c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55e0648e986e in rpl_malloc /root/programs_latest/libsixel/converters/malloc_stub.c:45
    #2 0x55e0648f4524 in sixel_allocator_malloc /root/programs_latest/libsixel/src/allocator.c:162
    #3 0x55e0648ede50 in sixel_encoder_output_without_macro /root/programs_latest/libsixel/src/encoder.c:789
    #4 0x55e0648ef381 in sixel_encoder_encode_frame /root/programs_latest/libsixel/src/encoder.c:1056
    #5 0x55e0648f3245 in load_image_callback /root/programs_latest/libsixel/src/encoder.c:1679
    #6 0x55e064943c67 in load_with_builtin /root/programs_latest/libsixel/src/loader.c:963
    #7 0x55e0649441aa in sixel_helper_load_image_file /root/programs_latest/libsixel/src/loader.c:1418
    #8 0x55e0648f36a9 in sixel_encoder_encode /root/programs_latest/libsixel/src/encoder.c:1743
    #9 0x55e0648e965b in main /root/programs_latest/libsixel/converters/img2sixel.c:457
    #10 0x7f8f97ce2082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/programs_latest/libsixel/src/quant.c:876 in error_diffuse
Shadow bytes around the buggy address:
  0x0c067fff81c0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff81d0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff81e0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff81f0: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fff8200: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
=>0x0c067fff8210: fa fa 00 00 00 00 fa fa 00 00 02 fa fa[fa]00 00
  0x0c067fff8220: 02 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==135878==ABORTING

poc.zip

Platform

# uname -a
Linux dd189b3c7b86 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux