Package: gifsicle Version: 1.90-1 Severity: important Tags: security out of bound read while running gifsicle with "gifsicle --dither --use-col=bw poc -o output" option
Running 'gifsicle --dither --use-col=bw poc -o output' with the attached file
raises out of bound read
which may allow a remote attack to cause a denial-of-service attack or
information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes
as follow
-------------------------------------------
june@yuweol:~/poc/gifsicle/crash2$ gifsicle --dither --use-col=bw poc -o output
gifsicle:poc:#0: read error: unknown block type 114 at file offset 25
gifsicle:poc: read error: image corrupted, min_code_size too big
gifsicle:poc: read error: image corrupted, code out of range (13 times)
gifsicle:poc: read error: missing 82455 pixels of image data
Segmentation fault
-------------------------------------------
Breakpoint 2, colormap_image_floyd_steinberg (gfi=0x555555790c50,
all_new_data=0x555555792520 "",
old_cm=0x555555790390, kd3=0x7fffffffdef0, histogram=0x7fffffffdae0) at
quantize.c:1149
1149 if (kc_distance(&kd3->ks[e], &use) < kd3->xradius[e])
(gdb) p/x old_cm->col[*data].pixel
$83 = 0xdeadbeef
(gdb) list
1144 + (err[x+1].a[k] & ~(DITHER_ITEM2ERR-1)) / DITHER_ITEM2ERR;
1145 use.a[k] = KC_CLAMPV(v);
1146 }
1147
1148 e = old_cm->col[*data].pixel;
1149 if (kc_distance(&kd3->ks[e], &use) < kd3->xradius[e])
1150 *new_data = e;
1151 else
1152 *new_data = kd3_closest_transformed(kd3, &use, NULL);
1153 histogram[*new_data]++;
* At 1148, e was set to 0xdeadbeef which was manipulated.
* This value used to reference the array kd3->ks as an index at 1149 which cause
* segmentation faule in this case
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0000555555568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffffffda02) at
kcolor.h:110
110 int32_t d0 = x->a[0] - y->a[0], d1 = x->a[1] - y->a[1],
(gdb) bt
#0 0x0000555555568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffffffda02) at
kcolor.h:110
#1 0x000055555556ca0e in colormap_image_floyd_steinberg (gfi=0x555555790c50,
all_new_data=0x555555792520 "", old_cm=0x555555790390, kd3=0x7fffffffdef0,
histogram=0x7fffffffdae0) at quantize.c:1149
#2 0x000055555556e19a in dither (gfi=0x555555790c50, new_data=0x555555792520
"",
old_cm=0x555555790390, kd3=0x7fffffffdef0, histogram=0x7fffffffdae0,
od=0x55555578dbc0 <active_output_data>) at quantize.c:1488
#3 0x000055555556e83f in colormap_stream (gfs=0x555555790330,
new_cm=0x55555578e890,
od=0x55555578dbc0 <active_output_data>) at quantize.c:1613
#4 0x000055555557bdd8 in do_colormap_change (gfs=0x555555790330) at
gifsicle.c:904
#5 0x000055555557c1db in merge_and_write_frames (outfile=0x7fffffffe52d
"output", f1=0, f2=-1)
at gifsicle.c:1030
#6 0x000055555557c54d in output_frames () at gifsicle.c:1105
#7 0x000055555557f212 in main (argc=6, argv=0x7fffffffe1e8) at gifsicle.c:2173
-------------------------------------------
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gifsicle depends on:
ii libc6 2.24-17
ii libx11-6 2:1.6.4-3
gifsicle recommends no packages.
gifsicle suggests no packages.
-- no debconf information
poc
Description: Binary data
