oss-sec mailing list archives

xterm buffer overflow via crafted sixel

From: nick black <dankamongmen () gmail com>
Date: Sun, 30 Jan 2022 12:27:38 -0500

howdy! in the hopes of further distributing my computing into
your terminal emulators, i this morning learned that i can
control writes to memory from XTerm's context via the method of
crafted sixel. en garde, i'll let you try my wu-tang style.

this was discovered while working on Notcurses bug #2573:

 https://github.com/dankamongmen/notcurses/issues/2573

an error of mine own led to emission of a corrupted sixel [0], and
spectacular gyrations from XTerm:

==1426124== Invalid write of size 2
==1426124==    at 0x193FF1: set_sixel (graphics_sixel.c:181)
==1426124==    by 0x1949E1: parse_sixel (graphics_sixel.c:534)
==1426124==    by 0x17203D: do_dcs (misc.c:4973)
==1426124==    by 0x149E03: doparsing.constprop.0 (charproc.c:4224)
==1426124==    by 0x14B383: VTparse (charproc.c:5183)
==1426124==    by 0x14B670: VTRun (charproc.c:8163)
==1426124==    by 0x12DC49: main (main.c:2911)
==1426124==  Address 0xffffffff0941efb8 is not stack'd, malloc'd or (recently) free'd
==1426124==
==1426124==
==1426124== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==1426124==  Access not within mapped region at address 0xFFFFFFFF0941EFB8
==1426124==    at 0x193FF1: set_sixel (graphics_sixel.c:181)
==1426124==    by 0x1949E1: parse_sixel (graphics_sixel.c:534)
==1426124==    by 0x17203D: do_dcs (misc.c:4973)
==1426124==    by 0x149E03: doparsing.constprop.0 (charproc.c:4224)
==1426124==    by 0x14B383: VTparse (charproc.c:5183)
==1426124==    by 0x14B670: VTRun (charproc.c:8163)
==1426124==    by 0x12DC49: main (main.c:2911)

I reported this to Mr. Thomas Dickey, the Archfather, and
offered to put a patch together this evening. I also told him I
probably wouldn't bother with a CVE, regarding which I clearly
changed my mind pretty much immediately. Sorry, my good man =\.

This requires that XTerm was built with Sixel support, and that
the XTerm configuration interprets Sixels.
 
--nick

[0] "a man of genius makes no mistakes -- his errors are
  volitional, and the portals to discovery." (james joyce).
  nah, just kidding, i totally screwed it up.

-- 
nick black -=- https://www.nick-black.com
to make an apple pie from scratch,
you need first invent a universe.

Attachment: signature.asc
Description:

Current thread:

xterm buffer overflow via crafted sixel nick black (Jan 30)
- Re: xterm buffer overflow via crafted sixel Tavis Ormandy (Jan 30)
  - Re: Re: xterm buffer overflow via crafted sixel Jakub Wilk (Jan 31)
- Re: xterm buffer overflow via crafted sixel Salvatore Bonaccorso (Jan 30)