libsixel Use-After-Free Vulnerability in Sixel Encoder

A use-after-free vulnerability has been identified in libsixel, a SIXEL encoder/decoder library, in versions through 1.8.7. The issue arises in the function 'sixel_encoder_encode_bytes()', where the pixel buffer pointer provided by the caller is stored directly in the frame structure without a defensive copy. This oversight allows the buffer to be freed during a resize operation, leaving a dangling pointer. Subsequent access to this buffer by the caller results in a use-after-free condition, which has been confirmed using AddressSanitizer. This vulnerability can be exploited to cause a crash and potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for memory corruption. While this could result in a crash, it also creates an opportunity for arbitrary code execution, particularly under favorable conditions.

Reproduction

The vulnerability can be reproduced by allocating a heap-based pixel buffer and passing it to 'sixel_encoder_encode_bytes()'. When the encoder is set to resize the frame, the library frees the original buffer without permission. Accessing the buffer after it has been freed triggers the use-after-free vulnerability. This can be automated with a proof-of-concept program that manipulates the pixel buffer and exploits the memory corruption.

Remediation

Users should upgrade to libsixel version 1.8.7-r1, where this vulnerability has been fixed.