libsixel NULL Pointer Dereference Vulnerability in SIXEL Decoding Functions

A NULL pointer dereference vulnerability has been identified in libsixel versions 1.0.0 through 1.8.7-r1. The issue arises in the functions sixel_decode_raw and the deprecated sixel_decode, where a faulty NULL check after a memory allocation call allows for a NULL pointer dereference when the allocation fails. Instead of checking the value returned by malloc, the check incorrectly verifies the address of the output parameter, which is always non-NULL. As a result, when memory allocation fails, the function continues executing and writes through a NULL pointer, leading to a process crash. This vulnerability causes a denial-of-service condition for any caller of these public APIs that experiences low memory.

Impact

Exploitation of this vulnerability causes a process crash, creating a denial-of-service condition for applications that use the affected libsixel decoding functions under memory pressure.

Reproduction

The vulnerability can be reproduced by using a custom memory allocator that simulates allocation failures. This can be done by creating a stub allocator that returns NULL, and then using this allocator with the sixel_decode_raw function. The process will segfault due to the NULL pointer dereference before reaching the end of the function.

Remediation

Users can upgrade to libsixel version 1.8.7-r2, where this vulnerability has been fixed.