GIFLIB:memory leak in GIF2RGB

Description

giflib is a library for reading and writing gif images. It is API and ABI compatible with libungif which was in wide use while the LZW compression algorithm was patented.

The GIF2RGB function in gif2rgb.c allows attackers to cause a denial of service (memory leak) via a crafted file.

#gif2rgb -o out.gif $FILE

=================================================================
==124794==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1156 byte(s) in 34 object(s) allocated from:
#0 0x7f6288723bb8 in interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x4039bf in GIF2RGB /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:392
#2 0x404a7a in main /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:525
#3 0x7f62882c2b34 in libc_start_main (/lib64/libc.so.6+0x21b34)
Direct leak of 34 byte(s) in 1 object(s) allocated from:
#0 0x7f6288723bb8 in interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x4037d7 in GIF2RGB /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:385
#2 0x404a7a in main /home/haojun/Downloads/testopensourcecode/giflib-5.1.4/util/gif2rgb.c:525
#3 0x7f62882c2b34 in libc_start_main (/lib64/libc.so.6+0x21b34)
SUMMARY: AddressSanitizer: 1190 byte(s) leaked in 35 allocation(s).

Affected version:

5.1.4

Fixed version:

N/A

Commit fix:

N/A

Credit: 

ADLab of Venustech.

CVE:

N/A

Reproducer:


Timeline:

2017-04-22:bug discovered

2017-06-20:blog post about the issue


Permalink:
http://somevulnsofadlab.blogspot.com/2017/06/giflibmemory-leak-in-gif2rgb.html

评论

发表评论

此博客中的热门博文

qpdf:An infinite loop in libqpdf

Description QPDF  is a command-line program that does structural, content-preserving transformations on PDF files. An infinite loop was found in libqpdf, which allows attackers to cause a denial of service via a crafted file. #qpdf $FILE - ==10354== stack-overflow on address 0x7fffdaf46ef8 (pc 0x7fc995a7f020 bp 0x000000935760 sp 0x7fffdaf46e50 T0) #0 0x7fc995a7f01f in pcre_compile2 pcre_compile.c:7903 #1 0x8adacb in PCRE::PCRE(char const*, int) /home/haojun/Downloads/qpdf-master/libqpdf/PCRE.cc:144:18 #2 0x67d604 in QPDFTokenizer::resolveLiteral() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:62:10 #3 0x6835cb in QPDFTokenizer::presentCharacter(char) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFTokenizer.cc:432:9 #4 0x688d3f in QPDFTokenizer::readToken(PointerHolder<InputSource>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/haojun/Downloads/qpdf-master/libqpdf/QP
阅读全文

qpdf:An infinite loop in libqpdf

Description QPDF  is a command-line program that does structural, content-preserving transformations on PDF files. An infinite loop was found in libqpdf, which allows attackers to cause a denial of service via a crafted file. #qpdf $FILE - ==52056== stack-overflow on address 0x7ffc5d511de0 (pc 0x0000005c262c bp 0x7ffc5d512a30 sp 0x7ffc5d511de0 T0) #0 0x5c262b in QPDF::resolveObjectsInStream(int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1497 #1 0x5c13b6 in QPDF::resolve(int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDF.cc:1480:6 #2 0x61e6c1 in QPDF::Resolver::resolve(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/include/qpdf/QPDF.hh:520:19 #3 0x61e6c1 in QPDFObjectHandle::dereference() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1520 #4 0x621e00 in QPDFObjectHandle::isStream() /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:226:5 #5 0x5c27ce in QPDF::resolveObjectsInStream(int) /home/haojun/Downl
阅读全文

qpdf:An infinite loop in libqpdf

Description QPDF  is a command-line program that does structural, content-preserving transformations on PDF files. An infinite loop was found in libqpdf, which allows attackers to cause a denial of service via a crafted file. #qpdf $FILE - ==29487== stack-overflow on address 0x7fff5e6b1e38 (pc 0x0000005187d2 bp 0x7fff5e6b2680 sp 0x7fff5e6b1e10 T0) #0 0x5187d1 in operator new(unsigned long) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:82 #1 0x65e604 in PointerHolder<QPDFObject>::PointerHolder(QPDFObject*, bool) /home/haojun/Downloads/qpdf-master/include/qpdf/PointerHolder.hh:75:17 #2 0x65e604 in QPDFObjectHandle::QPDFObjectHandle(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:45 #3 0x65e604 in QPDFObjectHandle::newIndirect(QPDF*, int, int) /home/haojun/Downloads/qpdf-master/libqpdf/QPDFObjectHandle.cc:1093 #4 0x5c27bf in QPDFObjectHandle::Factory::newIndirect(QPDF*, int, int)
阅读全文