Null pointer dereference at chafa-pixops.c:95 in hpjansson/chafa

Valid

Reported on

May 25th 2022


Description

Null pointer dereference in hpjansson/chafa at chafa-pixops.c:95.

Build

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"

./autogen.sh
./configure --disable-shared

make

POC

./chafa POC
[POC](https://drive.google.com/file/d/14gSBPCTDV1fudVSvBAbLFNC77hXu0vSV/view?usp=sharing)

ASAN

(gdb) r
Starting program: chafa ec0e8917-e361-4596-8c9e-494a527c0225/s02/crashes/id:000000,sig:11,src:000246,time:83787606,execs:1208522,op:havoc,rep:16
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff0723700 (LWP 32331)]
[New Thread 0x7fffeff14700 (LWP 32332)]
[New Thread 0x7fffef6fd700 (LWP 32333)]
[New Thread 0x7fffeeee6700 (LWP 32334)]
[New Thread 0x7fffee6cf700 (LWP 32335)]
[New Thread 0x7fffedeb8700 (LWP 32336)]
[New Thread 0x7fffed6a1700 (LWP 32337)]
[New Thread 0x7fffece8a700 (LWP 32338)]

Thread 1 "chafa" received signal SIGSEGV, Segmentation fault.
0x0000000000652ea1 in sum_histograms (hist_in=0x0, hist_accum=0x7fffffff9fb8) at chafa-pixops.c:95
95          hist_accum->n_samples += hist_in->n_samples;
(gdb) bt
#0  0x0000000000652ea1 in sum_histograms (hist_in=0x0, hist_accum=0x7fffffff9fb8) at chafa-pixops.c:95
#1  pass_1_post (batch=<optimized out>, prep_ctx=<optimized out>) at chafa-pixops.c:552
#2  0x0000000000625d6b in chafa_process_batches
    (ctx=<optimized out>, batch_func=<optimized out>, post_func=<optimized out>, n_rows=<optimized out>, n_batches=<optimized out>, batch_unit=<optimized out>) at chafa-batch.c:117
#3  0x000000000064d6f8 in prepare_pixels_pass_1 (prep_ctx=0x7fffffff9f60) at chafa-pixops.c:577
#4  chafa_prepare_pixel_data_for_symbols
    (palette=<optimized out>, dither=<optimized out>, color_space=<optimized out>, preprocessing_enabled=<optimized out>, work_factor=<optimized out>, src_pixel_type=<optimized out>, src_pixels=<optimized out>, src_width=<optimized out>, src_height=<optimized out>, src_rowstride=<optimized out>, dest_pixels=<optimized out>, dest_width=<optimized out>, dest_height=<optimized out>) at chafa-pixops.c:781
#5  0x000000000050ccfb in chafa_canvas_draw_all_pixels
    (canvas=0x62a000006200, src_pixel_type=<optimized out>, src_pixels=<optimized out>, src_width=<optimized out>, src_height=<optimized out>, src_rowstride=<optimized out>) at chafa-canvas.c:1523
#6  0x00000000004dddce in build_string
    (pixel_type=CHAFA_PIXEL_RGBA8_UNASSOCIATED, pixels=0x60200000a650 "", src_width=1, src_height=1, src_rowstride=4, dest_width=<optimized out>, dest_height=<optimized out>) at chafa.c:1675
#7  run_generic (filename=<optimized out>, is_first_file=1, is_first_frame=<optimized out>, quiet=<optimized out>)
    at chafa.c:1803
#8  run
    (filename=<optimized out>, is_first_file=<optimized out>, is_first_frame=<optimized out>, quiet=<optimized out>)
    at chafa.c:1900
#9  0x00000000004d00ca in run_all (filenames=<optimized out>) at chafa.c:1957
#10 mainPython Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x10d0e9:
(gdb) list 95
 (argc=90       static void
91      sum_histograms (const Histogram *hist_in, Histogram *hist_accum)
92      {
93          gint i;
94
95          hist_accum->n_samples += hist_in->n_samples;
96
97          for (i = 0; i < INTENSITY_MAX; i++)
98          {
99              hist_accum->c [i] += hist_in->c [i];
(gdb) p hist_in
$1 = (const Histogram *) 0x0

Impact

This vulnerability is capable of DoS.

References

We are processing your report and will contact the hpjansson/chafa team within 24 hours. a month ago
We have contacted a member of the hpjansson/chafa team and are waiting to hear back a month ago
Hans Petter Jansson gave praise a month ago
Good find, thanks. I can recreate this using 12 threads (i.e. `chafa --threads 12 POC` but not fewer. Likely something up with the batching. Will have a fix soon.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a follow up to the hpjansson/chafa team. We will try again in 7 days. a month ago
We have sent a second follow up to the hpjansson/chafa team. We will try again in 10 days. 21 days ago
Hans Petter Jansson validated this vulnerability 20 days ago
Han0nly has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hans Petter Jansson confirmed that a fix has been merged on 3497f4 20 days ago
The fix bounty has been dropped
to join this conversation