[Secure-testing-team] Bug#881141: gifsicle: out of bound read while running gifsicle

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 06:12:26 UTC 2017 

Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

out of bound read while running gifsicle with "gifsicle --dither --use-col=bw poc -o output" option

Running 'gifsicle --dither --use-col=bw poc -o output' with the attached file raises out of bound read
which may allow a remote attack to cause a denial-of-service attack or information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/gifsicle/crash2$ gifsicle --dither --use-col=bw poc -o output
gifsicle:poc:#0: read error: unknown block type 114 at file offset 25
gifsicle:poc: read error: image corrupted, min_code_size too big
gifsicle:poc: read error: image corrupted, code out of range (13 times)
gifsicle:poc: read error: missing 82455 pixels of image data
Segmentation fault

-------------------------------------------

Breakpoint 2, colormap_image_floyd_steinberg (gfi=0x555555790c50, all_new_data=0x555555792520 "",
    old_cm=0x555555790390, kd3=0x7fffffffdef0, histogram=0x7fffffffdae0) at quantize.c:1149
1149        if (kc_distance(&kd3->ks[e], &use) < kd3->xradius[e])
(gdb) p/x old_cm->col[*data].pixel
$83 = 0xdeadbeef
(gdb) list
1144                + (err[x+1].a[k] & ~(DITHER_ITEM2ERR-1)) / DITHER_ITEM2ERR;
1145            use.a[k] = KC_CLAMPV(v);
1146        }
1147
1148        e = old_cm->col[*data].pixel;
1149        if (kc_distance(&kd3->ks[e], &use) < kd3->xradius[e])
1150            *new_data = e;
1151        else
1152            *new_data = kd3_closest_transformed(kd3, &use, NULL);
1153        histogram[*new_data]++;

* At 1148, e was set to 0xdeadbeef which was manipulated.
* This value used to reference the array kd3->ks as an index at 1149 which cause
* segmentation faule in this case

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0000555555568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffffffda02) at kcolor.h:110
110     int32_t d0 = x->a[0] - y->a[0], d1 = x->a[1] - y->a[1],

(gdb) bt
#0  0x0000555555568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffffffda02) at kcolor.h:110
#1  0x000055555556ca0e in colormap_image_floyd_steinberg (gfi=0x555555790c50,
    all_new_data=0x555555792520 "", old_cm=0x555555790390, kd3=0x7fffffffdef0,
    histogram=0x7fffffffdae0) at quantize.c:1149
#2  0x000055555556e19a in dither (gfi=0x555555790c50, new_data=0x555555792520 "",
    old_cm=0x555555790390, kd3=0x7fffffffdef0, histogram=0x7fffffffdae0,
    od=0x55555578dbc0 <active_output_data>) at quantize.c:1488
#3  0x000055555556e83f in colormap_stream (gfs=0x555555790330, new_cm=0x55555578e890,
    od=0x55555578dbc0 <active_output_data>) at quantize.c:1613
#4  0x000055555557bdd8 in do_colormap_change (gfs=0x555555790330) at gifsicle.c:904
#5  0x000055555557c1db in merge_and_write_frames (outfile=0x7fffffffe52d "output", f1=0, f2=-1)
    at gifsicle.c:1030
#6  0x000055555557c54d in output_frames () at gifsicle.c:1105
#7  0x000055555557f212 in main (argc=6, argv=0x7fffffffe1e8) at gifsicle.c:2173

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6     2.24-17
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 84 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171108/5196e434/attachment.obj>

More information about the Secure-testing-team mailing list