Null pointer dereference at chafa-pixops.c:95 in hpjansson/chafa

Valid

Reported on

May 25th 2022

Description

Null pointer dereference in hpjansson/chafa at chafa-pixops.c:95.

Build

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"

./autogen.sh
./configure --disable-shared

make

POC

./chafa POC
[POC](https://drive.google.com/file/d/14gSBPCTDV1fudVSvBAbLFNC77hXu0vSV/view?usp=sharing)

ASAN

(gdb) r
Starting program: chafa ec0e8917-e361-4596-8c9e-494a527c0225/s02/crashes/id:000000,sig:11,src:000246,time:83787606,execs:1208522,op:havoc,rep:16
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff0723700 (LWP 32331)]
[New Thread 0x7fffeff14700 (LWP 32332)]
[New Thread 0x7fffef6fd700 (LWP 32333)]
[New Thread 0x7fffeeee6700 (LWP 32334)]
[New Thread 0x7fffee6cf700 (LWP 32335)]
[New Thread 0x7fffedeb8700 (LWP 32336)]
[New Thread 0x7fffed6a1700 (LWP 32337)]
[New Thread 0x7fffece8a700 (LWP 32338)]

Thread 1 "chafa" received signal SIGSEGV, Segmentation fault.
0x0000000000652ea1 in sum_histograms (hist_in=0x0, hist_accum=0x7fffffff9fb8) at chafa-pixops.c:95
95          hist_accum->n_samples += hist_in->n_samples;
(gdb) bt
#0  0x0000000000652ea1 in sum_histograms (hist_in=0x0, hist_accum=0x7fffffff9fb8) at chafa-pixops.c:95
#1  pass_1_post (batch=<optimized out>, prep_ctx=<optimized out>) at chafa-pixops.c:552
#2  0x0000000000625d6b in chafa_process_batches
    (ctx=<optimized out>, batch_func=<optimized out>, post_func=<optimized out>, n_rows=<optimized out>, n_batches=<optimized out>, batch_unit=<optimized out>) at chafa-batch.c:117
#3  0x000000000064d6f8 in prepare_pixels_pass_1 (prep_ctx=0x7fffffff9f60) at chafa-pixops.c:577
#4  chafa_prepare_pixel_data_for_symbols
    (palette=<optimized out>, dither=<optimized out>, color_space=<optimized out>, preprocessing_enabled=<optimized out>, work_factor=<optimized out>, src_pixel_type=<optimized out>, src_pixels=<optimized out>, src_width=<optimized out>, src_height=<optimized out>, src_rowstride=<optimized out>, dest_pixels=<optimized out>, dest_width=<optimized out>, dest_height=<optimized out>) at chafa-pixops.c:781
#5  0x000000000050ccfb in chafa_canvas_draw_all_pixels
    (canvas=0x62a000006200, src_pixel_type=<optimized out>, src_pixels=<optimized out>, src_width=<optimized out>, src_height=<optimized out>, src_rowstride=<optimized out>) at chafa-canvas.c:1523
#6  0x00000000004dddce in build_string
    (pixel_type=CHAFA_PIXEL_RGBA8_UNASSOCIATED, pixels=0x60200000a650 "", src_width=1, src_height=1, src_rowstride=4, dest_width=<optimized out>, dest_height=<optimized out>) at chafa.c:1675
#7  run_generic (filename=<optimized out>, is_first_file=1, is_first_frame=<optimized out>, quiet=<optimized out>)
    at chafa.c:1803
#8  run
    (filename=<optimized out>, is_first_file=<optimized out>, is_first_frame=<optimized out>, quiet=<optimized out>)
    at chafa.c:1900
#9  0x00000000004d00ca in run_all (filenames=<optimized out>) at chafa.c:1957
#10 mainPython Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x10d0e9:
(gdb) list 95
 (argc=90       static void
91      sum_histograms (const Histogram *hist_in, Histogram *hist_accum)
92      {
93          gint i;
94
95          hist_accum->n_samples += hist_in->n_samples;
96
97          for (i = 0; i < INTENSITY_MAX; i++)
98          {
99              hist_accum->c [i] += hist_in->c [i];
(gdb) p hist_in
$1 = (const Histogram *) 0x0

Impact

This vulnerability is capable of DoS.

References

We are processing your report and will contact the hpjansson/chafa team within 24 hours. a year ago

We have contacted a member of the hpjansson/chafa team and are waiting to hear back a year ago

Hans Petter Jansson gave praise a year ago

Good find, thanks. I can recreate this using 12 threads (i.e. `chafa --threads 12 POC` but not fewer. Likely something up with the batching. Will have a fix soon.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

We have sent a follow up to the hpjansson/chafa team. We will try again in 7 days. a year ago

We have sent a second follow up to the hpjansson/chafa team. We will try again in 10 days. a year ago

Hans Petter Jansson validated this vulnerability a year ago

Han0nly has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Hans Petter Jansson marked this as fixed in 1.12.0 with commit 3497f4 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation