GIFLIB:heap buffer overflow in DumpScreen2RGB

Description
giflib is a library for reading and writing gif images. It is API and ABI compatible with libungif which was in wide use while the LZW compression algorithm was patented.
The DumpScreen2RGB function in gif2rgb.c allows attackers to cause a denial of service (heap buffer overflow) via a crafted file.
#gif2rgb -o out.gif $FILE
=================================================================
==3815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e0bd at pc 0x000000403095 bp 0x7ffcc19602b0 sp 0x7ffcc19602a8
READ of size 1 at 0x60400000e0bd thread T0
#0 0x403094 in DumpScreen2RGB /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:317
#1 0x404553 in GIF2RGB /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:474
#2 0x404a7a in main /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:525
#3 0x7f27b384db34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#4 0x4016c8 (/home/haojun/Downloads/testopensourcecode/giflib_build/bin/gif2rgb+0x4016c8)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:317 in DumpScreen2RGB
Shadow bytes around the buggy address:
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9c10: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3815==ABORTING
Affected version:
5.1.4
Fixed version:
N/A
Commit fix:
N/A
Credit: 
ADLab of Venustech.
CVE:
N/A
Reproducer:
Timeline:
2017-04-22:bug discovered
2017-06-20:blog post about the issue
Permalink:
http://somevulnsofadlab.blogspot.com/2017/06/giflibheap-buffer-overflow-in.html


此博客中的热门博文

Poppler:stack buffer overflow in GfxImageColorMap::getGray

LibTIFF:memory leak in _TIFFmalloc

lrzip:stack buffer overflow in get_fileinfo