infinite recursive loop in load_pnm( )

[Loginsoft-Research]

Description : we Observerd an infinite recursive loop at function load_pnm( ) at file frompnm.c which can lead to a denial of service attack.

Command : ./img2sixel -78eIkiugv -w 4 -h 8 -q auto -l force -o out $POC
POC : REPRODUCER

DEBUG :

Gdb:  [ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x00007fffffffd160  →  0x43434380f0314300
$rbx   : 0x00007fffffffd2a0  →  0x00007fffffffd660  →  0x0000000000000000
$rcx   : 0x00007fffffffd100  →  0x0000000000000000
$rdx   : 0x0               
$rsp   : 0x00007fffffffcf50  →  0x000060400000dfd0  →  0xbebebebe00000003
$rbp   : 0x00007fffffffd2c0  →  0x00007fffffffd690  →  0x00007fffffffd780  →  0x00007fffffffd7f0  →  0x00007fffffffddb0  →  0x0000000000401c00  →  <__libc_csu_init+0> push r15
$rsi   : 0x0               
$rdi   : 0x0               
$rip   : 0x00007ffff6c08ec1  →  <load_pnm+2222> mov rax, QWORD PTR [rbp-0x2f0]
$r8    : 0x3               
$r9    : 0x184d0           
$r10   : 0x2b1             
$r11   : 0x00007ffff6ef6ab0  →  <__asan_memset+0> push rbp
$r12   : 0x00000ffffffff9fc  →  0x0000000000000000
$r13   : 0x00007fffffffcfe0  →  0x0000000041b58ab3
$r14   : 0x00007fffffffcfe0  →  0x0000000041b58ab3
$r15   : 0x0               
$eflags: [CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcf50│+0x0000: 0x000060400000dfd0  →  0xbebebebe00000003     ← $rsp
0x00007fffffffcf58│+0x0008: 0x000060700000dfd4  →  0x0000000000000003
0x00007fffffffcf60│+0x0010: 0x000060700000dfd0  →  0x00000003ffffffff  →  0x0000000000000000
0x00007fffffffcf68│+0x0018: 0x0000000000000000
0x00007fffffffcf70│+0x0020: 0x000060700000dfcc  →  0xffffffff00000000
0x00007fffffffcf78│+0x0028: 0x000060700000dfc8  →  0x0000000000000000
0x00007fffffffcf80│+0x0030: 0x000060700000dfb8  →  0x000060300000efb0  →  0xffff000000000000
0x00007fffffffcf88│+0x0038: 0x000060400000dfd0  →  0xbebebebe00000003
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff6c08eac <load_pnm+2201>  mov    QWORD PTR [rbp-0x328], rax
   0x7ffff6c08eb3 <load_pnm+2208>  lea    rax, [rbx-0x140]
   0x7ffff6c08eba <load_pnm+2215>  mov    QWORD PTR [rbp-0x2f0], rax
→ 0x7ffff6c08ec1 <load_pnm+2222>  mov    rax, QWORD PTR [rbp-0x2f0]
   0x7ffff6c08ec8 <load_pnm+2229>  mov    rdx, rax
   0x7ffff6c08ecb <load_pnm+2232>  shr    rdx, 0x3
   0x7ffff6c08ecf <load_pnm+2236>  add    rdx, 0x7fff8000
   0x7ffff6c08ed6 <load_pnm+2243>  movzx  edx, BYTE PTR [rdx]
   0x7ffff6c08ed9 <load_pnm+2246>  test   dl, dl
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:frompnm.c+229 ────
    224         for (y = 0 ; y < height ; y++) {
    225             for (x = 0 ; x < width ; x++) {
    226                 b = (maps == 2 ? 3 : 1);
    227                 for (i = 0 ; i < b ; i++) {
    228                     if (ascii) {
        // s=0x00007fffffffcfd0  →  [...]  →  0x43434380f0314300
→  229                         while (*s == '\0') {
    230                             if (p >= end) {
    231                                 break;
    232                             }
    233                             p = pnm_get_line(p, end, tmp);
    234                             s = tmp;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "img2sixel", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff6c08ec1 → load_pnm(p=0x62d00000a427 "\027", '\276' <repeats 4056 times>, length=0x28, allocator=0x60400000dfd0, result=0x60700000dfb8, psx=0x60700000dfc8, psy=0x60700000dfcc, ppalette=0x0, pncolors=0x60700000dfd0, ppixelformat=0x60700000dfd4)
[#1] 0x7ffff6c077b3 → load_with_builtin(pchunk=0x60300000efe0, fstatic=0x0, fuse_palette=0x0, reqcolors=0x100, bgcolor=0x0, loop_control=0x1, fn_load=0x7ffff6c16ad6 <load_image_callback>, context=0x610000007f40)
[#2] 0x7ffff6c0836f → sixel_helper_load_image_file(filename=0x7fffffffe2b1 "hang10", fstatic=0x0, fuse_palette=0x0, reqcolors=0x100, bgcolor=0x0, loop_control=0x1, fn_load=0x7ffff6c16ad6 <load_image_callback>, finsecure=0x1, cancel_flag=0x606ac0 <signaled>, context=0x610000007f40, allocator=0x60400000dfd0)
[#3] 0x7ffff6c16f5b → sixel_encoder_encode(encoder=0x610000007f40, filename=0x7fffffffe2b1 "hang10")
[#4] 0x4019ce → main(argc=0xd, argv=0x7fffffffde98)

[carnil]

This issue has been assigned CVE-2019-11024.

[saitoha]

Fixed on v1.8.4, Thanks!