libsixel Signed Integer Overflow Vulnerability Leading to Out-of-Bounds Heap Write

A signed integer overflow vulnerability has been identified in libsixel, a SIXEL encoder/decoder library. This issue arises in versions 0.11.0 through 1.8.7-r1, where the SIXEL parser's image-buffer doubling loop allows for an out-of-bounds heap write in the function sixel_decode_raw_impl. The vulnerability is triggered when context->pos_x, which increases by repeat_count for each SIXEL character without an upper limit check, approaches INT_MAX. This causes the buffer sizing expression 'pos_x + repeat_count' to overflow, bypassing the resize check that prevents oversized buffers. As a result, a large, attacker-influenced offset is computed and written past the allocated memory, leading to potential memory corruption.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, allowing for memory corruption by writing beyond the allocated heap space. This type of vulnerability is particularly severe in an image-decoding library, as it involves processing untrusted input.

Reproduction

To reproduce this vulnerability, create a SIXEL stream that drives 'pos_x' close to 'INT_MAX' by using the maximum repeat count. This can be done by sending a sequence of SIXEL characters that increment 'pos_x' by 65535 each time, until it approaches the overflow point. Once the crafted SIXEL file is prepared, it can be decoded using 'img2sixel', a tool that processes SIXEL data. Building 'img2sixel' with AddressSanitizer enabled will help confirm the out-of-bounds write, as AddressSanitizer will report the memory corruption error.

Remediation

Users can upgrade to libsixel version 1.8.7-r2, where this vulnerability has been fixed.