Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security
out of bound read while running gifsicle with "gifsicle --dither --use-col=bw
poc -o output" option
Running 'gifsicle --dither --use-col=bw poc -o output' with the attached file
raises out of bound read
which may allow a remote attack to cause a denial-of-service attack or
information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes
as follow
---
june@yuweol:~/poc/gifsicle/crash2$ gifsicle --dither --use-col=bw poc -o output
gifsicle:poc:#0: read error: unknown block type 114 at file offset 25
gifsicle:poc: read error: image corrupted, min_code_size too big
gifsicle:poc: read error: image corrupted, code out of range (13 times)
gifsicle:poc: read error: missing 82455 pixels of image data
Segmentation fault
---
Breakpoint 2, colormap_image_floyd_steinberg (gfi=0x55790c50,
all_new_data=0x55792520 "",
old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0) at
quantize.c:1149
1149if (kc_distance(>ks[e], ) < kd3->xradius[e])
(gdb) p/x old_cm->col[*data].pixel
$83 = 0xdeadbeef
(gdb) list
1144+ (err[x+1].a[k] & ~(DITHER_ITEM2ERR-1)) / DITHER_ITEM2ERR;
1145use.a[k] = KC_CLAMPV(v);
1146}
1147
1148e = old_cm->col[*data].pixel;
1149if (kc_distance(>ks[e], ) < kd3->xradius[e])
1150*new_data = e;
1151else
1152*new_data = kd3_closest_transformed(kd3, , NULL);
1153histogram[*new_data]++;
* At 1148, e was set to 0xdeadbeef which was manipulated.
* This value used to reference the array kd3->ks as an index at 1149 which cause
* segmentation faule in this case
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at
kcolor.h:110
110 int32_t d0 = x->a[0] - y->a[0], d1 = x->a[1] - y->a[1],
(gdb) bt
#0 0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at
kcolor.h:110
#1 0x5556ca0e in colormap_image_floyd_steinberg (gfi=0x55790c50,
all_new_data=0x55792520 "", old_cm=0x55790390, kd3=0x7fffdef0,
histogram=0x7fffdae0) at quantize.c:1149
#2 0x5556e19a in dither (gfi=0x55790c50, new_data=0x55792520
"",
old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0,
od=0x5578dbc0 ) at quantize.c:1488
#3 0x5556e83f in colormap_stream (gfs=0x55790330,
new_cm=0x5578e890,
od=0x5578dbc0 ) at quantize.c:1613
#4 0x5557bdd8 in do_colormap_change (gfs=0x55790330) at
gifsicle.c:904
#5 0x5557c1db in merge_and_write_frames (outfile=0x7fffe52d
"output", f1=0, f2=-1)
at gifsicle.c:1030
#6 0x5557c54d in output_frames () at gifsicle.c:1105
#7 0x5557f212 in main (argc=6, argv=0x7fffe1e8) at gifsicle.c:2173
---
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gifsicle depends on:
ii libc6 2.24-17
ii libx11-6 2:1.6.4-3
gifsicle recommends no packages.
gifsicle suggests no packages.
-- no debconf information
poc
Description: Binary data