Package: release.debian.org
Severity: normal
Tags: patch security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
The patch fixes:
CVE-2018-19756
CVE-2018-19757
CVE-2018-19759
CVE-2018-19761
CVE-2018-19762
CVE-2018-19763
CVE-2019-3573
CVE-2019-3574
diff --git a/debian/changelog b/debian/changelog
index b00aee0..bcffff3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+libsixel (1.8.2-1+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * d/patches/0001-Add-malloc-size-check.patch: fix CVE-2018-19756
+ * d/patches/0002-assign-default-error-message.patch: fix CVE-2018-19757
+ * d/patches/0003-add-limitation-to-width-and-height.patch: fix CVE-2018-19759
+ * d/patches/0004-position-error-check.patch: fix CVE-2018-19761
+ * d/patches/0005-size-check.patch: fix CVE-2018-19762
+ * d/patches/0006-prevent-to-access-heap-overflow.patch: fix CVE-2018-19763
+ * d/patches/0007-check-error-for-jpeg_read_scanlines.patch: fix CVE-2019-3573
+ * d/patches/0008-check-number-of-repeat_count.patch: fix CVE-2019-3574
+
+ -- NOKUBI Takatsugu <k...@daionet.gr.jp> Mon, 09 Sep 2019 12:42:52 +0900
+
libsixel (1.8.2-1) unstable; urgency=medium
* New upstream, security fix (closes: #903858)
diff --git a/debian/patches/0001-Add-malloc-size-check.patch b/debian/patches/0001-Add-malloc-size-check.patch
new file mode 100644
index 0000000..b53305f
--- /dev/null
+++ b/debian/patches/0001-Add-malloc-size-check.patch
@@ -0,0 +1,24 @@
+From: Takatsugu Nokubi <takatsugu.nok...@robotfund.co.jp>
+Date: Mon, 8 Jul 2019 13:46:11 +0900
+Subject: Add malloc size check
+
+---
+ src/allocator.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/allocator.c b/src/allocator.c
+index b9b2d02..bb0c009 100644
+--- a/src/allocator.c
++++ b/src/allocator.c
+@@ -147,6 +147,11 @@ sixel_allocator_malloc(
+ assert(allocator);
+ assert(allocator->fn_malloc);
+
++ if (n == 0) {
++ sixel_helper_set_additional_message(
++ "sixel_allocator_malloc: called with n == 0");
++ return NULL;
++ }
+ return allocator->fn_malloc(n);
+ }
+
diff --git a/debian/patches/0002-assign-default-error-message.patch b/debian/patches/0002-assign-default-error-message.patch
new file mode 100644
index 0000000..c7d4687
--- /dev/null
+++ b/debian/patches/0002-assign-default-error-message.patch
@@ -0,0 +1,21 @@
+From: Takatsugu Nokubi <takatsugu.nok...@robotfund.co.jp>
+Date: Tue, 23 Jul 2019 17:12:43 +0900
+Subject: assign default error message
+
+---
+ src/stb_image.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/stb_image.h b/src/stb_image.h
+index 2673809..09ebbd5 100644
+--- a/src/stb_image.h
++++ b/src/stb_image.h
+@@ -845,6 +845,8 @@ static const char *stbi__g_failure_reason;
+
+ STBIDEF const char *stbi_failure_reason(void)
+ {
++ if (stbi__g_failure_reason == NULL)
++ stbi__g_failure_reason = "unknwon error, refer error message before assignment";
+ return stbi__g_failure_reason;
+ }
+
diff --git a/debian/patches/0003-add-limitation-to-width-and-height.patch b/debian/patches/0003-add-limitation-to-width-and-height.patch
new file mode 100644
index 0000000..63528b8
--- /dev/null
+++ b/debian/patches/0003-add-limitation-to-width-and-height.patch
@@ -0,0 +1,39 @@
+From: Takatsugu Nokubi <takatsugu.nok...@robotfund.co.jp>
+Date: Thu, 1 Aug 2019 14:59:58 +0900
+Subject: add limitation to width and height
+
+---
+ include/sixel.h.in | 3 +++
+ src/decoder.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/include/sixel.h.in b/include/sixel.h.in
+index 7ffe90f..4365c67 100644
+--- a/include/sixel.h.in
++++ b/include/sixel.h.in
+@@ -366,6 +366,9 @@ typedef int SIXELSTATUS;
+ #define SIXEL_OPTFLAG_VERSION ('V') /* -V, --version: show version and license info */
+ #define SIXEL_OPTFLAG_HELP ('H') /* -H, --help: show this help */
+
++#define SIXEL_WIDTH_LIMIT 1000000
++#define SIXEL_HEIGHT_LIMIT 1000000
++
+ #if SIXEL_USE_DEPRECATED_SYMBOLS
+ /* output character size */
+ enum characterSize {
+diff --git a/src/decoder.c b/src/decoder.c
+index 63ab4af..c763e4d 100644
+--- a/src/decoder.c
++++ b/src/decoder.c
+@@ -315,6 +315,11 @@ sixel_decoder_decode(
+ goto end;
+ }
+
++ if (sx > SIXEL_WIDTH_LIMIT || sy > SIXEL_HEIGHT_LIMIT) {
++ status = SIXEL_BAD_INPUT;
++ goto end;
++ }
++
+ status = sixel_helper_write_image_file(indexed_pixels, sx, sy, palette,
+ SIXEL_PIXELFORMAT_PAL8,
+ decoder->output,
diff --git a/debian/patches/0004-position-error-check.patch b/debian/patches/0004-position-error-check.patch
new file mode 100644
index 0000000..126d3d7
--- /dev/null
+++ b/debian/patches/0004-position-error-check.patch
@@ -0,0 +1,23 @@
+From: Takatsugu Nokubi <takatsugu.nok...@robotfund.co.jp>
+Date: Thu, 25 Jul 2019 16:19:59 +0900
+Subject: position error check
+
+---
+ src/fromsixel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 7d8390a..1d86858 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -572,6 +572,10 @@ sixel_decode_raw_impl(
+ image->ncolors = context->color_index;
+ }
+
++ if (context->pos_x < 0 || context->pos_y < 0) {
++ status = SIXEL_BAD_INPUT;
++ goto end;
++ }
+ bits = *p - '?';
+
+ if (bits == 0) {
diff --git a/debian/patches/0005-size-check.patch b/debian/patches/0005-size-check.patch
new file mode 100644
index 0000000..ad00ce5
--- /dev/null
+++ b/debian/patches/0005-size-check.patch
@@ -0,0 +1,21 @@
+From: Takatsugu Nokubi <takatsugu.nok...@robotfund.co.jp>
+Date: Mon, 8 Jul 2019 12:20:58 +0900
+Subject: size check
+
+---
+ src/fromsixel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 1d86858..8cc8ce0 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -290,7 +290,7 @@ image_buffer_resize(
+
+ size = (size_t)(width * height);
+ alt_buffer = (unsigned char *)sixel_allocator_malloc(allocator, size);
+- if (alt_buffer == NULL) {
++ if (alt_buffer == NULL || size == 0) {
+ /* free source image */
+ sixel_allocator_free(allocator, image->data);
+ image->data = NULL;
diff --git a/debian/patches/0006-prevent-to-access-heap-overflow.patch b/debian/patches/0006-prevent-to-access-heap-overflow.patch
new file mode 100644
index 0000000..d117429
--- /dev/null
+++ b/debian/patches/0006-prevent-to-access-heap-overflow.patch
@@ -0,0 +1,24 @@
+From: Takatsugu Nokubi <takatsugu.nok...@robotfund.co.jp>
+Date: Wed, 24 Jul 2019 15:12:49 +0900
+Subject: prevent to access heap overflow
+
+---
+ src/fromsixel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 8cc8ce0..f451c80 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -888,7 +888,10 @@ sixel_decode_raw(
+ }
+
+ *ncolors = image.ncolors + 1;
+- *palette = (unsigned char *)sixel_allocator_malloc(allocator, (size_t)(*ncolors * 3));
++ int alloc_size = *ncolors;
++ if (alloc_size < 256) // memory access range should be 0 <= 255 (in write_png_to_file)
++ alloc_size = 256;
++ *palette = (unsigned char *)sixel_allocator_malloc(allocator, (size_t)(alloc_size * 3));
+ if (palette == NULL) {
+ sixel_allocator_free(allocator, image.data);
+ sixel_helper_set_additional_message(
diff --git a/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch b/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch
new file mode 100644
index 0000000..23dfbba
--- /dev/null
+++ b/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch
@@ -0,0 +1,26 @@
+From: NOKUBI Takatsugu <k...@daionet.gr.jp>
+Date: Fri, 30 Aug 2019 11:33:15 +0900
+Subject: check error for jpeg_read_scanlines
+
+---
+ src/loader.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/loader.c b/src/loader.c
+index cb1e61f..823571d 100644
+--- a/src/loader.c
++++ b/src/loader.c
+@@ -195,7 +195,12 @@ load_jpeg(unsigned char **result,
+
+ while (cinfo.output_scanline < cinfo.output_height) {
+ jpeg_read_scanlines(&cinfo, buffer, 1);
+- memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
++ if (cinfo.err->num_warnings > 0) {
++ sixel_helper_set_additional_message(
++ "jpeg_read_scanlines: error/warining occuered.");
++ status = SIXEL_BAD_INPUT;
++ goto end;
++ } memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
+ }
+
+ status = SIXEL_OK;
diff --git a/debian/patches/0008-check-number-of-repeat_count.patch b/debian/patches/0008-check-number-of-repeat_count.patch
new file mode 100644
index 0000000..bde6e5f
--- /dev/null
+++ b/debian/patches/0008-check-number-of-repeat_count.patch
@@ -0,0 +1,24 @@
+From: NOKUBI Takatsugu <k...@daionet.gr.jp>
+Date: Fri, 30 Aug 2019 11:37:02 +0900
+Subject: check number of repeat_count
+
+---
+ src/fromsixel.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index f451c80..bc7dfbe 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -733,6 +733,11 @@ sixel_decode_raw_impl(
+ if (context->repeat_count == 0) {
+ context->repeat_count = 1;
+ }
++ if (context->repeat_count > 0x7fff) { /* check too huge number
++*/
++ status = SIXEL_BAD_INPUT;
++ goto end;
++ }
+ context->state = PS_DECSIXEL;
+ context->param = 0;
+ context->nparams = 0;
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..113b98e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1,8 @@
+0001-Add-malloc-size-check.patch
+0002-assign-default-error-message.patch
+0003-add-limitation-to-width-and-height.patch
+0004-position-error-check.patch
+0005-size-check.patch
+0006-prevent-to-access-heap-overflow.patch
+0007-check-error-for-jpeg_read_scanlines.patch
+0008-check-number-of-repeat_count.patch
