Bug#881119: gifsicle: double free while running gifsicle

Tue, 07 Nov 2017 17:39:38 -0800 

Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

double free while running 'gifsicle with --delay 50 poc poc -o output' option

Running 'gifsicle --delay 50 poc poc -o output' with the attached file raises 
double free
which may allow a remote attacker to cause a denial-of-service attack or other 
unspecified
impact with a crafted file
I expected the program to terminate without segfault, but the program crashes 
as follow

-------------------------------------------

june@yuweol:~/poc/gifsicle/crash1$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
Segmentation fault

-------------------------------------------

june@yuweol:~/poc/gifsicle/crash1$ 
~/project/analyze/bins/gifsicle-1.90/src/gifsicle --delay 50 poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
=================================================================
==4607==ERROR: AddressSanitizer: attempting double-free on 0x611000000400 in 
thread T0:
    #0 0x7f519caaafd0 in __interceptor_realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x562d9a5a6de8 in Gif_Realloc 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
    #2 0x562d9a5b19db in suck_data 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
    #3 0x562d9a5b2fe2 in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
    #4 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
    #5 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
    #6 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
    #7 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x562d9a596da9 in _start 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0xfda9)

0x611000000400 is located 0 bytes inside of 207-byte region 
[0x611000000400,0x6110000004cf)
freed by thread T0 here:
    #0 0x7f519caaa8c8 in __interceptor_free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    #1 0x562d9a5b33ae in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c3ae)
    #2 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
    #3 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
    #4 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
    #5 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
    #0 0x7f519caaafd0 in __interceptor_realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x562d9a5a6de8 in Gif_Realloc 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
    #2 0x562d9a5b19db in suck_data 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
    #3 0x562d9a5b2fe2 in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
    #4 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
    #5 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
    #6 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
    #7 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: double-free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) in __interceptor_realloc
==4607==ABORTING

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6     2.24-17
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information

Attachment: poc
Description: Binary data

Reply via email to