Libsixel Integer Overflow Vulnerability Leading to Out-of-Bounds Heap Read

A vulnerability in Libsixel versions through 1.8.7 in the Sixel encoder/decoder implementation allows for an integer overflow that leads to an out-of-bounds heap read. This issue arises in the '--crop' option handling of the 'img2sixel' tool, where positive coordinates up to INT_MAX are accepted without proper overflow-safe bounds checking. The vulnerability can be exploited by supplying a specially crafted crop argument with any valid image, causing a reliable crash and potential information disclosure.

Impact

Exploitation of this vulnerability causes a memory corruption issue that results in a crash, but also allows for an out-of-bounds read in the heap, which could be exploited for information disclosure.

Reproduction

To reproduce this vulnerability, use the 'img2sixel' command-line tool with the '--crop' option. Specify a crop argument that includes a coordinate value of 2,147,483,647 (INT_MAX) along with a valid image, such as a 1x1 grayscale PNG. The command will trigger the out-of-bounds heap read by overflowing the coordinate bounds check, leading to a crash.

Remediation

Users should upgrade to Libsixel version 1.8.7-r1, where this vulnerability has been fixed.