search

kohler / gifsicle

Create, manipulate, and optimize GIF images and animations
http://www.lcdf.org/gifsicle/
GNU General Public License v2.0
3.77k stars 239 forks source link

Bad gif can cause heap corruption #104

Closed strazzere closed 7 years ago

strazzere commented 7 years ago

This is reproducible every time and likely could lead to some bad things :)

gdb$ run
Starting program: /home/tstrazzere/repo/gifsicle/src/gifsicle -O2 ./destav.gif --output /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
gifsicle:./destav.gif:#0: read error: image corrupted, min_code_size too big
gifsicle:./destav.gif:#0: read error: image corrupted, code out of range (19 times)
gifsicle:./destav.gif:#0: read error: (not reporting more errors)
gifsicle:./destav.gif:#0: read error: missing 6528 pixels of image data
gifsicle:./destav.gif:#1: read error: image corrupted, min_code_size too big
gifsicle:./destav.gif:#1: read error: missing 1344 pixels of image data
gifsicle:./destav.gif:#2: read error: image corrupted, min_code_size too big
gifsicle:./destav.gif:#2: read error: image corrupted, code out of range (19 times)
gifsicle:./destav.gif:#2: read error: (not reporting more errors)
gifsicle:./destav.gif:#2: read error: missing 1214 pixels of image data
gifsicle: (plus more errors; is this GIF corrupt?)
gifsicle:./destav.gif: warning: some colors undefined by colormap
gifsicle: warning: too many colors, using local colormaps
  (You may want to try ‘--colors 256’.)

Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0x01FFFFFFFFFF8651  RBX: 0x00007FFFF78B8620  RBP: 0x0000000000008011  RSP: 0x00007FFFFFFFE090  o d I t s z a P c 
  RDI: 0x0000000000000004  RSI: 0x0000000000020920  RDX: 0x0000000000000000  RCX: 0x00000000006559B0  RIP: 0x00007FFFF758D66F
  R8 : 0x0000000000000003  R9 : 0x00007FFFF6FCCE42  R10: 0x00000000001D4F3A  R11: 0x00000000000000C9  R12: 0x000000000064D9B0
  R13: 0x000000000064D9A0  R14: 0x0000000000008000  R15: 0x00007FFFF78B8678
  CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B                
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7ffff758d66f:  mov    QWORD PTR [rcx+0x8],rax
   0x7ffff758d673:  mov    eax,DWORD PTR [rip+0x32d1e3]        # 0x7ffff78ba85c
   0x7ffff758d679:  test   eax,eax
   0x7ffff758d67b:  je     0x7ffff758ce4e
   0x7ffff758d681:  jmp    0x7ffff758d193
   0x7ffff758d686:  nop    WORD PTR cs:[rax+rax*1+0x0]
   0x7ffff758d690:  mov    rcx,QWORD PTR [rip+0x32a7c9]        # 0x7ffff78b7e60
   0x7ffff758d697:  mov    rdi,QWORD PTR [rcx+0x18]
-----------------------------------------------------------------------------------------------------------------------------
0x00007ffff758d66f in ?? () from /lib/x86_64-linux-gnu/libc.so.6
gdb$ exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: f3ed2ff03b5faab5c181b0fe83d49707.3df60d3db13f33390cab654487329570
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: HeapError (10/22), AccessViolation (21/22)

destav.zip

kohler commented 7 years ago

Can't reproduce this either.

strazzere commented 7 years ago

That is because you've fixed it at a0a365136f44e5519f7f486b00a67387f641d0e8