libsixel Integer Overflow Vulnerability Leading to Heap Buffer Overflow

A heap buffer overflow vulnerability has been identified in libsixel versions through 1.8.7. The issue arises from an integer overflow in the function sixel_frame_convert_to_rgb888() within frame.c. This vulnerability specifically affects palettised images (PAL1, PAL2, PAL4) with dimensions that cause the pixel count to exceed INT_MAX divided by 4. The overflow results in an inadequate heap allocation for the image conversion buffer and a negative pointer offset for the normalization sub-buffer. Consequently, the function sixel_helper_normalize_pixelformat() writes image data from the invalid pointer, leading to significant heap corruption, as confirmed by AddressSanitizer. An attacker can exploit this vulnerability by providing a specially crafted large palettised PNG, causing the victim process to crash and potentially allowing for arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a crash of the affected process and allows for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the libsixel library to load a large palettised PNG image with dimensions that cause the pixel count to exceed INT_MAX divided by 4. The image should be loaded in a way that triggers the faulty integer arithmetic in the sixel_frame_convert_to_rgb888() function, leading to the heap buffer overflow.

Remediation

Users can upgrade to libsixel version 1.8.7-r1 to address this vulnerability.