oss-sec mailing list archives

Re: Heapoverflow in giflib5.1.4

From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 13 Sep 2016 12:24:23 -0700

On Tue, Sep 13, 2016 at 06:55:08PM +0200, Hanno Böck wrote:

Two notes:
* This is a bug *only* in the gif2rgb command line tool, not in giflib
  itself.
* I reported this before. The giflib maintainer claimed multiple times
  that he has fixed it, yet he hasn't. See:
https://sourceforge.net/p/giflib/bugs/79/


Hanno, can you still reproduce this issue? I followed your excellent
reproducer script and I don't get any ASAN warnings. If you still get ASAN
warnings this may indicate the source of the confusion.

Thanks

ubuntu@x1:~$ git clone --depth=1 git://git.code.sf.net/p/giflib/code giflib-code
Cloning into 'giflib-code'...
remote: Counting objects: 149, done.
remote: Compressing objects: 100% (147/147), done.
remote: Total 149 (delta 22), reused 10 (delta 0)
Receiving objects: 100% (149/149), 389.03 KiB | 0 bytes/s, done.
Resolving deltas: 100% (22/22), done.
Checking connectivity... done.
ubuntu@x1:~$  cd giflib-code/
ubuntu@x1:~/giflib-code$ CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" ./autogen.sh
Warning: This script will run configure for you -- if you need to pass
  arguments to configure, please give them as arguments to this script.
aclocal: warning: couldn't open directory 'm4': No such file or directory
configure.ac:14: installing './ar-lib'
configure.ac:14: installing './compile'
configure.ac:15: installing './config.guess'
configure.ac:15: installing './config.sub'
configure.ac:5: installing './install-sh'
configure.ac:5: installing './missing'
Makefile.am: installing './INSTALL'
parallel-tests: installing './test-driver'
lib/Makefile.am: installing './depcomp'
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
[...]
configure: creating ./config.status
config.status: creating util/Makefile
config.status: creating lib/Makefile
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating pic/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
ubuntu@x1:~/giflib-code$ make -j
make  all-recursive
make[1]: Entering directory '/home/ubuntu/giflib-code'
Making all in lib
make[2]: Entering directory '/home/ubuntu/giflib-code/lib'
  CC       dgif_lib.lo
  CC       gif_font.lo
  CC       egif_lib.lo
  CC       gif_hash.lo
  CC       gifalloc.lo
  CC       openbsd-reallocarray.lo
  CC       gif_err.lo
  CC       quantize.lo
  CCLD     libgif.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[2]: Leaving directory '/home/ubuntu/giflib-code/lib'
Making all in util
make[2]: Entering directory '/home/ubuntu/giflib-code/util'
  CC       getarg.o
  CC       gif2rgb.o
  CC       qprintf.o
  CC       gifbuild.o
  CC       gifecho.o
  CC       gifinto.o
  CC       giftext.o
  CC       giftool.o
  CC       gifclrmp.o
  CC       giffix.o
  CC       gifbg.o
  CC       gifcolor.o
  CC       giffilter.o
  CC       gifsponge.o
  CC       gifhisto.o
  CC       gifwedge.o
  AR       libgetarg.a
ar: `u' modifier ignored since `D' is the default (see `U')
  CCLD     gif2rgb
  CCLD     gifecho
  CCLD     giffix
  CCLD     giftext
  CCLD     gifinto
  CCLD     giftool
  CCLD     gifbg
  CCLD     gifclrmp
  CCLD     gifcolor
  CCLD     giffilter
  CCLD     gifsponge
  CCLD     gifwedge
  CCLD     gifhisto
  CCLD     gifbuild
make[2]: Leaving directory '/home/ubuntu/giflib-code/util'
Making all in pic
make[2]: Entering directory '/home/ubuntu/giflib-code/pic'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/ubuntu/giflib-code/pic'
make[2]: Entering directory '/home/ubuntu/giflib-code'
make[2]: Leaving directory '/home/ubuntu/giflib-code'
make[1]: Leaving directory '/home/ubuntu/giflib-code'
ubuntu@x1:~/giflib-code$ wget https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
--2016-09-13 19:19:27--  https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
Resolving sourceforge.net (sourceforge.net)... 216.34.181.60
Connecting to sourceforge.net (sourceforge.net)|216.34.181.60|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [image/gif]
Saving to: ‘gif2rgb-oob-heap-read.gif’

gif2rgb-oob-heap-read.gif    100%[=============================================>]      20  --.-KB/s    in 0s

2016-09-13 19:19:27 (2.73 MB/s) - ‘gif2rgb-oob-heap-read.gif’ saved [20/20]

ubuntu@x1:~/giflib-code$  util/gif2rgb gif2rgb-oob-heap-read.gif
Background color out of range for colormap
ubuntu@x1:~/giflib-code$

Attachment: signature.asc
Description:

Current thread:

Heapoverflow in giflib5.1.4 vul (Sep 13)
- Re: Heapoverflow in giflib5.1.4 Hanno Böck (Sep 13)
  - Re: Heapoverflow in giflib5.1.4 Seth Arnold (Sep 13)
    - Re: Heapoverflow in giflib5.1.4 Hanno Böck (Sep 13)
    - Re: Heapoverflow in giflib5.1.4 Seth Arnold (Sep 13)
- Re: Heapoverflow in giflib5.1.4 Solar Designer (Sep 13)